I'm new to the WAS module, but I'm already frustrated by the lack of a "TEST" button for the Authentication setup.
It would be very valuable to be able to immediately test my entries for Form, Server, or Selenium script authentication without having to run a Discovery scan. Having to do a scan to see if my form fields are named right or my password got typed wrong is tedious and time-consuming.
That said, it would also be nice if there was one screen used to list and manage the various Authentication Records.
We completely agree that the authentication test feature would definitely help anyone who just wants to test if credentials are correct without having to launch a scan. This is in fact something that we already have in our roadmap, but we could not have implemented it yet due to the way our scanner appliances connect to our datacenter.
I will discuss it again with our scan team to see if we can come to a working solution in the near future, but this is definitely something that we expect to have in the application.
Also, concerning the list of authentication records, this would be indeed a good addition.
When we first implemented support of authentication records, we expected an authentication record to be tighted to a web application and it would then have been more logical to edit it from this latter. But feedback from customers leads us indeed to think that a dedicated list of authentication records would facilitate their management and we have therefore added it to our roadmap, for Q4 this year (would be in WAS UI 2.6).
Any progress on a "Test" button? I just killed another hour trying to get a Selenium login script that works perfectly in Firefox to work in Qualys. I get recurring QID 150095 "The script failed to run" and diagnostics showing Time outs. At 10 minutes per test scan, it's a huge time waster...
Create a 5 link option profile and put the target URL as the login page. This will let you cut the test down to about 3 minutes.
Check the Selenium Base, make sure its the base URL for the target.
Also, you might want to switch out "Send Keys" for "Type" command.
If you can show me the URL of the site, I can take a look at it.
jkent AT qualys DOT com
The authentication test functionnality is indeed still under discussion. We have 2 features planned:
1/ The first one will help people fill their form record by letting user browse the site and select the login form. The application
2/ The second introduces the Test button and will run a quick scan to get you the results.
The second solution, the one you're interested in, is planned for 3.3. As part of it we plan to introduce a new task that would allow you to regularly check the validity of your records without having to go over them one by one (3.4)
Also, as a side note, the authentication record list will be available in our very next release 3.1 - you will have access to both the UI section (see attached screenshot) and an API to easily manage them.
I would still like to see a quick "Test" button for Selenium login scripts. It continues to be a challenge to get a script that works perfectly in the browser to function in WAS.
Our web team recently split the submission of username and password into to POST actions. I added a submit for the username, waitOnElementPresent for the password field, and a submit for the password. Works perfectly in Selenium 2.5 in Firefox, but fails with timeouts via the scanner. Even with a quick Discovery scan, it's a frustrating process to try to debug these issues.
Thanks for staying with us on this. While we have made some progress internally in coming up with various alternatives to address this, we have so many feature requests that we have not been able to meet all our objectives. One of the challenges we'll continue to face even with a quicker authentication test is the fact that the scanner's access to the application may be different than using your own browser, hence I am doubtful we'll be able to solve all issues where it works well in the browser but does not work exactly the same in the appliance. We do hope to make more improvements in logging that may provide more insight as well. We'll continue to work on this, and appreciate you continuing to let us know this is a difficult problem for you. I'll contact you with a private message to get more info.