CyberRoo Absent Member.
Absent Member.

WebInspect - multiple layers of Site authentication

Im having some trouble with multiple layers of site authentication and wanted to know if anyone may have a solution for this issue.


I am utilizing the WI Macro for the initial splash page login which I am able to do succesfully. However there is another mini application that is accessbile through the application that automatically launches in a new tab in the browser and requires additional authentication. In the Macro, the new tab launches but never loads and I am unable to authenticated at the second level .


I am able to authenticate to both levels within my browser outside of webinspect, but not through the Macro. Has anyone had success trying to go through multilple levels of authentication?

Labels (1)
1 Reply
Micro Focus Expert
Micro Focus Expert

Re: WebInspect - multiple layers of Site authentication

If both of these authentication processes are used to perform "the authentication" as a whole, then a single Login Macro should suffice.  Any time session state is lost, the full macro will replay. If the necessary secondary or follow-up browser tab is not appearing in the recorder tool, try changing the Script Level (slider bar) from position 1 to position 3.  The recorder automatically suppresses minor, "dynamic" sessions such as Mouse-Over actions, but Script Level 3 exposes them all, and also requires them as part of the Replay.  Depending on the reason the tab is not displaying, there are additional (Javascript) tricks that can be performed from the Toolbox side-bar as well, and Fortify Support can help you sort it out if needed.  The best data for them to help understand the situation would be a copy of the failed LoginMacro recording, and a Web Proxy capture of the normal and successful login followed later by a proper logout action.

However, if the second authentication case is not always encountered or performed when the first one is processed, you may not be able to get by with a (single) Login Macro.  There is no way to configure two separate Login Macros for a WebInspect scan, so you may need to mark that second authentication process as part of an Interactive Mode scan.  This would be the same as configuring for a manual CAPTCHA or RSA ID Token field.



(1)  Open the Web Forms Editor tool, and Add a unique field or marker that would be found in a HTTP Response when the second login process is required, e.g. "please log into our secondary process".  Right-click and mark that field as Interactive.  It does not need to be the input field specifically, just something that will trigger the pop-up in WebInspect when your input is required.

(2)  In your scan settings, Method panel, specify your saved Web Forms input file in the field for "Auto fill web forms..."

(3)  Also on the Method scan settings panel, enable both boxes for "Prompt for web forms values..." and also "Only prompt for tagged inputs".

(4)  Start your scan with these settings and Input File.

**  Your scan will now be automated until it strikes that field you marked as Interactive.  The WebInspect scan thread will Pause and pop a browser window asking you for your humaninput (the secondary authentication), and it will Resume once completed.  the other Requestor threads will continue unabated as they carry their own session state individually (if a default Crawl&Audit, 15 total threads by default)

-- Habeas Data
Micro Focus Fortify Customers-Only Forums –
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.