10 Replies Latest reply on Aug 23, 2016 8:49 AM by Busby

    WAS Authentication 'Test' button?

    pejacoby Level 1

      I'm new to the WAS module, but I'm already frustrated by the lack of a "TEST" button for the Authentication setup.

       

      It would be very valuable to be able to immediately test my entries for Form, Server, or Selenium script authentication without having to run a Discovery scan.  Having to do a scan to see if my form fields are named right or my password got typed wrong is tedious and time-consuming.

       

      That said, it would also be nice if there was one screen used to list and manage the various Authentication Records.

        • WAS Authentication 'Test' button?
          Axel Level 3

          Hi,

           

          We completely agree that the authentication test feature would definitely help anyone who just wants to test if credentials are correct without having to launch a scan. This is in fact something that we already have in our roadmap, but we could not have implemented it yet due to the way our scanner appliances connect to our datacenter.

           

          I will discuss it again with our scan team to see if we can come to a working solution in the near future, but this is definitely something that we expect to have in the application.

          • Authentication Records List
            Axel Level 3

            Also, concerning the list of authentication records, this would be indeed a good addition.

             

            When we first implemented support of authentication records, we expected an authentication record to be tighted to a web application and it would then have been more logical to edit it from this latter. But feedback from customers leads us indeed to think that a dedicated list of authentication records would facilitate their management and we have therefore added it to our roadmap, for Q4 this year (would be in WAS UI 2.6).

              • WAS Authentication 'Test' button?
                pejacoby Level 1

                Any progress on a "Test" button?  I just killed another hour trying to get a Selenium login script that works perfectly in Firefox to work in Qualys.  I get recurring QID 150095  "The script failed to run" and diagnostics showing Time outs.  At 10 minutes per test scan, it's a huge time waster...

                  • WAS Authentication 'Test' button?
                    jkent Level 4

                    Create a 5 link option profile and put the target URL as the login page.  This will let you cut the test down to about 3 minutes. 

                     

                    Check the Selenium Base, make sure its the base URL for the target.

                     

                    Also, you might want to switch out "Send Keys" for "Type" command.

                     

                    If you can show me the URL of the site, I can take a look at it.

                     

                    jkent AT qualys DOT com

                    • WAS Authentication 'Test' button?
                      Axel Level 3

                      Hi,

                       

                      The authentication test functionnality is indeed still under discussion. We have 2 features planned:

                       

                      1/ The first one will help people fill their form record by letting user browse the site and select the login form. The application

                       

                      2/ The second introduces the Test button and will run a quick scan to get you the results.

                       

                      The second solution, the one you're interested in, is planned for 3.3. As part of it we plan to introduce a new task that would allow you to regularly check the validity of your records without having to go over them one by one (3.4)

                       

                       

                      Also, as a side note, the authentication record list will be available in our very next release 3.1 - you will have access to both the UI section (see attached screenshot) and an API to easily manage them.

                        • WAS Authentication 'Test' button?
                          pejacoby Level 1

                          I would still like to see a quick "Test" button for Selenium login scripts.  It continues to be a challenge to get a script that works perfectly in the browser to function in WAS.

                           

                          Our web team recently split the submission of username and password into to POST actions. I added a submit for the username, waitOnElementPresent for the password field, and a submit for the password.  Works perfectly in Selenium 2.5 in Firefox, but fails with timeouts via the scanner.  Even with a quick Discovery scan, it's a frustrating process to try to debug these issues.

                            • WAS Authentication 'Test' button?
                              WillB Level 4

                              Thanks for staying with us on this.  While we have made some progress internally in coming up with various alternatives to address this, we have so many feature requests that we have not been able to meet all our objectives.  One of the challenges we'll continue to face even with a quicker authentication test is the fact that the scanner's access to the application may be different than using your own browser, hence I am doubtful we'll be able to solve all issues where it works well in the browser but does not work exactly the same in the appliance.  We do hope to make more improvements in logging that may provide more insight as well.  We'll continue to work on this, and appreciate you continuing to let us know this is a difficult problem for you.  I'll contact you with a private message to get more info.

                                • Re: WAS Authentication 'Test' button?
                                  Joe Wisher Lurker

                                  While I don't consider myself a 'seasoned' web application scanner... I have completed hundreds of web application scans over the past several months and authentication is one of the top two barriers to quickly scanning a site. Developers can choose many different ways to have a user authenticate and even when I know what type they have used and how to get to the authentication prompt the authentication may still not be successful for various reasons. Please stick with this work as it will improve the efficiency of my work scanning web applications.  If there was a way for me to emulate by way of some interface exactly how the scanner accesses a site and then authenticate it would go far in providing insight as to why authentication is failing. Emulating could also potentially confirm what barriers the appliance may experience while attempting to get to a login prompt/form/pop up.

                        • Re: WAS Authentication 'Test' button?
                          Busby Level 3

                          Just to test the applications I run the discovery to test the authentication.  Typically I will try and do the authentication from Linux because in many cases the application is passing NTLM but the developers don't always realize this and you see it from the Linux side.

                           

                          I agree the logging and troubleshooting on Authentication is usually the biggest hurdle.

                           

                          Here is what I do:

                          • Manually test credentials from Linux (Let's me know if NTLM is being used.)
                          • May need to try different browsers to see if they are restricting content to one User Agent
                          • Write the Selenium and test on Windows and Linux
                          • Lookout for POPUPS and cookies they can cause issues as well.
                          • Load into Qualys and test with a discovery scan of ONE URL so the scan runs fast
                          • repeat until success.

                           

                          Now I know they have this on the VM side but I think we will see the option to get a PCAP of a scan and this will also allow us all a little more insight into what is actually happening.  Please let me know if I can assist.