One-Time Password (OTP) view
Configure AppScan® to use OTP (a kind of multi-factor authentication, or MFA) when logging in.
If your application uses OTP, select one of the two options, otherwise leave the default setting: None.
- Only one OTP type (TOTP or URL-generated) is supported per scan.
- For TOTP only numerical values are supported.
- OTP is supported only when the Chromium browser is used to record the Login. It is not supported if Internet Explorer is used.
Option | Description |
---|---|
TOTP |
For time-based one-time passwords, you must provide AppScan
with:
Tip: The times on the
AppScan machine and the tested server must both be
accurate. |
URL-generated OTP |
If the OTP is accessible from a designated URL, you can
configure AppScan to extract it from the URL’s response. You
must provide AppScan with:
|
None |
OTP is not used by the site, or scanning those pages that use OTP is not required. |
Details | |
OTP HTTP-parameters |
If you have selected one of the OTP types, then when you record and validate the Recorded Login procedure, AppScan® will identify the OTP name or element ID from the traffic, and add it to the Automatic Form Fill list. It will also be shown here. If AppScan® fails to identify the parameter, or if you use Automatic Login, you must add the parameter here yourself. If there is more than one they must be comma separated. See section below for details. |
How to identify the OTP HTTP-parameter
AppScan needs to know the name of the parameter that contains the OTP (in order to be able to log in to the application), and usually identifies it when validating the Recorded Login procedure. If it fails to do so, or if you use Automatic Login, you must add the parameter yourself.
- Open a browser and go to your application's login page.
- Click F12 to open the developer tools pane of the browser (opens to the right of, or underneath, the main browser pane).
- Click on the Elements tab to view the HTML code.
When you select a part of the code, the element is highlighted in the main browser pane.
- Locate the element that highlights the OTP
field.Example:
<input type="text" name="OTPvalue" value="">
- The value of the name parameter, without the quotation marks, is the OTP
HTTP parameter you
need.Example:
OTPvalue
- If there is more than one OTP HTTP parameter, separate them with commas.