Riskmap Regular Contributor.
Regular Contributor.
1569 views

How to create a login macro with the cookies JSESSIONID and LtpaToken are set as state parameters.

How to create a login macro with the cookies JSESSIONID and LtpaToken are set as state parameters.

Labels (1)
Tags (1)
0 Likes
8 Replies
Raphael Hagi Super Contributor.
Super Contributor.

Re: How to create a login macro with the cookies JSESSIONID and LtpaToken are set as state parameter

I think if you record your login macro, when you play it, your Token and JSESSIONID will be received by Webinspect to proceed the next requests. Are your receiving some errors?


Data, or do not.
0 Likes
Riskmap Regular Contributor.
Regular Contributor.

Re: How to create a login macro with the cookies JSESSIONID and LtpaToken are set as state parameter

It is for a WebSphere Application. 

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: How to create a login macro with the cookies JSESSIONID and LtpaToken are set as state parameter

Like Raphael said, the Login Macro should dynamically retrieve the correct values when it processes the login.

Additionally, you may need to declare certain state-keeping parameters to WebInspect so it manages their values properly during the scan, after login.  If you open the Default Scan Settings > Audit Exclusions, you will see that JSESSIONID is among those common fields that is already covered by WebInspect, but not your LptaToken.  For that, I would suggest adding the LptaToken to the State-keeping entries found on the HTTP Parsing scan settings panel.  These named parameters will then be declared to WebInspect as "important for state-keeping", and so their assigned values will be reused by WebInspect, until such time as the target server issues an updated value, and then that new value will be used.  If you do not do this, the LptaToken field may be submitted with fuzzing values or simple default values and the session state could be lost frequently, resulting in a longer scan or poor results.

Note that the HTTP Parsing entry is much different from the Attack Exclusions scan setting panel.  Items declared on the Attack Exclusions panel will not be fuzzed at all by WebInspect.  Items declared under HTTP Parsing will still be tested "some", but not as heavily as a normal input field, and their assigned value will be carried forward in HTTP Requests.  Sometimes you need to declare your sensitive parameter for both panels, but usually only for HTTP Parsing.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
Raphael Hagi Super Contributor.
Super Contributor.

Re: How to create a login macro with the cookies JSESSIONID and LtpaToken are set as state parameter

The best! Thanks Hans, it's a new feature for me! 🙂


Data, or do not.
0 Likes
Riskmap Regular Contributor.
Regular Contributor.

Re: How to create a login macro with the cookies JSESSIONID and LtpaToken are set as state parameter

Thank you Hans! I will test this and let you the result.

Thanks,

Riskmap Regular Contributor.
Regular Contributor.

Re: How to create a login macro with the cookies JSESSIONID and LtpaToken are set as state parameter

Hi Habeas,

I still have same issue. Could you please provide me exact steps that how to add that. I think that I am not adding right.

Also, I am doing crawl first and then audit. Not both together.

Thanks in advance.

 

 

 

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: How to create a login macro with the cookies JSESSIONID and LtpaToken are set as state parameter

JSESSIONID is already managed by WebInspect, you should not need to specify anything.  It is a known entity in the web server world, so WebInspect knows its purpose.  To see what I mean, perform the following.

  1. Open WebInspect
  2. Click on the Edit menu > Default Scan Settings > Attack Exclusions panel
  3. Find "jsessionid" listed in the Excluded Cookies pane > you are done!
  4. Exit the settings screens.

 

 

Now your custom parameter, LptaToken, is another matter.  Perform the following steps to declare it to WebInspect as a state-keeping value, necessary for on-going communication.

  1. Open WebInspect
  2. Click on the Edit menu > Default Scan Settings > HTTP Parsing panel
  3. For the pane, "HTTP Parameters Used For State", click Add
    1. Enter "LptaToken" (case-insensitive actually) to the Parameter field
    2. Enable the bullet point for "Plain Text"
    3. Enable all three boxes for "Look for parameter in"
      • (I am lazy, why bother identifying each case!)
    4. Click OK to save this new entry.
  4. Click OK to save this new Default Scan Settings configuration, or use the Save As option to save it as a saved scan settings file (XML) for use later.

Now, the LptaToken will be automatically used and updated by WebInspect as it scans, changing the value whenever the target server instructs it to use a new value.

 

Separately, if _any_ testing/changing/fuzzing of the LptaToken can trigger a logout, then you may want to add it to Attack Exclusions.  Normally this is not needed when the token is listed on the HTTP Parsing panel, since WebInspect will already be handling the parameter value with care, and only a minimum of fuzzing.  If you do want to set this, then use the following steps, after you have added the token to the HTTP Parsing panel (above).

  1. Open WebInspect
  2. Click on the Edit menu > Default Scan Settings > Attack Exclusions panel
    • If you are simply adding to a previously saved scan setting file, use theses steps instead:
      • Edit menu > Manage Settings > Edit button > Attack Exclusions panel
  3. For the pane, "Excluded Cookies", click Add
  4. Enter "LptaToken" to the Expression field and click the Test button
  5. In the resulting pop-up window, "No matches found", simply click on OK.
  6. Scroll through the Excluded Cookies pane to verify your "LptaToken" entry is listed
  7. Click OK to save this new Default Scan Settings configuration, or the custom scan settings file you had opened, or use the Save As option to save it as a new saved scan settings file (XML) for use later.

Now the LptaToken will not be fuzzed AT ALL during the scan.  Note that this is not the same as declaring it as a state-keeping variable ("HTTP Parsing"), whose value is important and must be carried through the scan.

 

 

 

For more configuration ideas, see this article on the user forums:  "WebInspect Scan Configuration Tricks and Best Practices" =  https://community.microfocus.com/t5/Fortify-User-Discussions/WebInspect-Scan-Configuration-Tricks-and-Best-Practices/td-p/1587049


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
Riskmap Regular Contributor.
Regular Contributor.

Re: How to create a login macro with the cookies JSESSIONID and LtpaToken are set as state parameter

Thank you Habeas for providing the detailed instructions.

Thanks,

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.