Login method

Define how AppScan logs in to your application and, if necessary, record the login procedure. AppScan can automatically detect login requests and fill in the username and password parameters. If your application has a non-standard login sequence of actions, you can record these actions for AppScan to use.

Configuration > Login management > Select login method.

Setting

Details

Select Login Method

Recorded (Recommended)

(Default method) Select this method to open the browser and record a login sequence (both HTTP requests and user actions are recorded). AppScan® will use this sequence whenever it needs to log in to the application.

Record login is used to record the sequence. Options are:
  • AppScan browser (default)
  • External browser (if installed)
  • External client:
    • Postman
    • SoapUI
    • Other
Note: In the case of Recorded and Automatic login, if the site or service uses one-time passwords (OTP), you must click the Configure OTP link and configure it before you record the login.

For web applications, see Record login with a browser

For web services, see Record login with an external client

Automatic

Select this method to let AppScan® automatically detect the login form of your application and use the username and password you supply. (This method can be less reliable than the Recorded Login method.)

Prompt

Select this method if login requires human interaction each time (such as Two-Factor Authentication, One-Time Passwords, or CAPTCHA).

Note that when you select this option:
  • You must record a login sequence. This is to provide AppScan® with an in-session page that it can later use to verify that it is logged-in. For details, see Record login with a browser
  • It is recommended that you disable the setting: Configuration > Test options > Send tests on logout pages; otherwise, you will receive too many login prompts.

None

Select this option if the application does not require users to log in.

Login Validation Status Indicator

Status indicator
Indicates the status of In-Session Detection:
  • Green: Enabled and configured. (An in-session page has been identified in the login sequence, either automatically or by the user.)
  • Yellow: Enabled but not fully configured.
  • Red: Enabled but configuration failed.
  • Gray: Disabled.

See Select Detection Pattern dialog box for details.

Import or Export Login Settings

Import

When you record a login sequence, it is saved as part of the scan. If you save the scan as a template, the login sequence is saved as part of the template.

To import a login sequence that was previously saved as a *.login file, click the Import button.

Export

To export the login sequence by itself for use in future scans, click the Export button. The sequence is saved as a *.login file.