By Dan Cornell
About a week ago we posted some info about how we chained AppScan and BurpSuite together to handle a site with a somewhat complicated challenge/response login scheme. Apparently this got the Twitter-world all excited – you can read all about it on Dinis Cruz's blog. A really cool outcome of all this discussion is that some of the scanner vendors have started publishing information about how their scanners can be configured to handle similar login situations based on some mock-up code we released on GitHub. This post is to highlight the response from the good folks at HP about how to configure WebInspect to handle this login scenario.
They put up a blog post about it here: Challenge-Response Authentication? No Problem
They also put together a rather extensive set of slides describing the target scenario as well as some more complicated twists here:
(Original slides link is here)
Many thanks to Rafal Los and Hans Enders from HP for putting this together and making it available. I agree with Dinis that talking about these real-world scenarios is really valuable and I appreciate you all taking the time to write-up and release this information. I've got stuff from a couple of the other scanner folks that I'll be reviewing and posting soon.
dan _at_ denimgroup.com