How to Perform Webinspect Scan for MFA enabled website?


Can someone please let me know how to perform a Webinspect scan which has MFA Enabled,

i tried with the webform Editor option by enabling " Mark as interactive input " for the OTP, there is no prompt for the OTP while scan is going on.

Please help me on the above query.

Appreciate your support..

Thanks in Advance

  • Suggested Answer

    Great question and perfect timing! We just released WebInspect 21.2 that now includes a way to handle MFA:

    WebInspect now offers the ability to automate Two-factor Authentication scans. This is accomplished by installing a lightweight Android app onto a phone or emulator that can capture SMS and Email tokens and pass them back to the scanner for authentication. Once configured, there is no need for user interaction.

    Here is a YouTube video on our Unplugged channel for additional information -

  • Hey Ebell,

    Thanks for the reply, it is really helpful and one small doubt in that 

    Can you please let me know on how it can be integrated with VIP tokens?

    Thanks in Advance!

    Venkatesh Kalli

  • At this time if you cannot receive the 2FA token via text or email then you will have to either:

    1. Use manual intervention,

    2. Disable for testing.

  • The new 2FA feature only supports Two-Factor Authentication (2FA, or MFA) when the token is received via SMS or Email.  For other situations, including CAPTCHA, Virtual PIN Pad, RSA ID Tokens, et al, you can resort to the older Interactive Scan method WebInspect has always offered.  An Interactive Scan in WebInspect allows you to configure a "mostly automated scan", where you then monitor the screen and fill in the human input as it is needed and is brought up on-screen.  You can also combine this with additional authentication layered configurations such as including  Network Authentication, Client-Side Certs, or the standard Login Macro as needed for your particular target.

    • Help section:  file:///C:/ProgramData/HP/HP%20WebInspect/Help/WebInspect/index.htm#InteractiveScans.htm