API scanning - Dynamic Token Strategy for Authentication


Original Question: API scanning - Dynamic Token Strategy for Authentication by HansEnders

I found this question on one of our Fortify Unplugged videos, and have directed that user here for a better discussion that the Comments thread.

"Can you provide a sample example for Using Dynamic Token Strategy for Authentication. I'm not able to figure out how to use the Regex for the Request and Response Tokens."

I assume they were wondering about the Dynamic Token mentioned at the 4:00 minute mark.  The Dynamic Strategy discussed here is for the situation when the Postman Collection does not offer a Request which produces a simple authentication token, but instead the user has to scrape the token from the Response and perhaps inform WebInspect when to replay this special Request to regain session state (i.e. update the token value).  this is akin to the mechanism used by the Login Macro in WebInspect.

For a standard authenticated WebInspect web site scan with a Login Macro, there is a recorded series of Requests used to gain session state.  There will also be one or more Logout Conditions defined for this Macro.  The Logout Conditions are simple text matches on the scan's HTTP Responses, to let WebInspect know when to re-run the Login Macro.  For this API scan with Dynamic Token situation it will be the same basic principal, that the user provides information on how to locate the Token within the HTTP Response, and includes a Logout Condition to inform the scanner when to re-run this.

Since WebInspect only tests HTTP Request/Response traffic, a "complete" or "pure" regular expression is overkill.  To simplify the use of Regex in WebInspect Fortify provides a series of Regular Expression Extensions, previously known as our SPI (Dynamics) Regex.  This Regex Extension offer "tags" to help the regex writer easily focus the expression search, such as searching the HTTP Response's sections:  [ALL], [HEADERS], or [BODY].  And since it is still a basic regex, any blank spaces in the searched text must be defined with the {\s} escape character.  Below are sample of what a Logout Condition might be, as well as the product documentation pages that are relevant for this.  Bear in mind that the regex needs to identify some text in the HTTP Response that occurs during logout, and which is unique to that situation, i.e. don't match on generic items such as "HTTP" or ".com".

The same Regular Expression Extension format can also used in Session Exclusions (scan settings) of WebInspect, as needed.


[STATUSCODE]302 AND [HEADERS]Location:\slogin.aspx
[STATUSCODE]200 AND [BODY]logged\sout
[STATUSCODE]302 AND [ALL]Login.asp
( [STATUSCODE]302 AND [HEADERS]Location:\slogin.aspx ) OR ( [STATUSCODE]200 AND [BODY]response\stimed\sout ) <= (Note the blank space padding around the parentheses.)


How To-Best Practice
Comment List