One-time password (OTP)

Configure AppScan® to use OTP (a kind of multi-factor authentication, or MFA) when logging in.

If your application uses OTP, select one of the two options, otherwise leave the default setting: None.

When you record the login procedure, AppScan will extract the relevant parameters from the traffic and add them to the OTP HTTP-parameters list. They will also be added to the OTP entry in Automatic Form Fill view. If AppScan fails to identify the parameters, you must add them yourself, either in this view or in Automatic Form Fill view.
Limitations:
  • Only one OTP type (TOTP or URL-generated) is supported per scan.
  • For TOTP only numerical values are supported.
  • OTP is supported only when the Chromium browser is used to record the Login. It is not supported if Internet Explorer is used.
  • When OTP is configured, Action-based must be the selected Login playback method in the Login playback. OTP will not work with Request-based login.
To see our short video demo, click the icon below:
Option Description

TOTP
For time-based one-time passwords, you must provide AppScan with:
  • Secret key
  • OTP length (number of digits)
  • Hash algorithm used (select from the dropdown)
  • Time step (in seconds)
Tip: The times on the AppScan machine and the tested server must both be accurate.

URL-generated OTP

If the OTP is accessible from a designated URL, you can configure AppScan to extract it from the URL’s response. You must provide AppScan with:
  • URL
  • Regular expression that will identify the OTP in the URL response.

None

OTP is not used by the site, or scanning those pages that use OTP is not required.
Advanced

OTP HTTP-parameters

If you have selected one of the OTP types, then when you record and validate the Recorded Login procedure, AppScan® will identify the OTP name or element ID from the traffic, and add it to the Automatic Form Fill list. It will also be shown here.

If AppScan® fails to identify the parameter, or if you use Automatic Login, you must add the parameter here yourself. If there is more than one they must be comma separated. See section below for details.

How to identify the OTP HTTP-parameter

AppScan needs to know the name of the parameter that contains the OTP (in order to be able to log in to the application), and usually identifies it when validating the Recorded Login procedure. If it fails to do so, or if you use Automatic Login, you must add the parameter yourself.

To identify the parameter:
  1. Open a browser and go to your application's login page.
  2. Click F12 to open the developer tools pane of the browser (opens to the right of, or underneath, the main browser pane).
  3. Click on the Elements tab to view the HTML code.

    When you select a part of the code, the element is highlighted in the main browser pane.

  4. Locate the element that highlights the OTP field.
    Example:
    <input type="text" name="OTPvalue" value="">
  5. The value of the name parameter, without the quotation marks, is the OTP HTTP parameter you need.
    Example:
    OTPvalue
  6. If there is more than one OTP HTTP parameter, click Add another to add additional fields as needed.