Scanner Cannot Populate Complex Login Form

Currently the WAS scanning engine covers what we call "simple" login forms. If the web crawler encounters any complex login forms, the scanning engine does not authenticate. In the future, the WAS scanning engine will address the login forms that contain more than 2 inputs/fields and multi-step login schemes. Unfortunately some types of complex login schemes can't be addressed automatically since their sole purpose is to prevent any automated authentication or brute forcing.

For a workaround to this issue, see How to Bypass Authentication Forms.

What  are complex login forms

Here are scenarios that are considered to be "complex" login forms.

More than 2 login forms

A login form that has a username, password and employee number with a drop down list of the region the office is located in.

CAPTCHA

The concept of CAPTCHA was invented in order to thwart any "automated brute forcing" attacks against a login form. By doing so, the web application is sure that a human being has logged on. It is understandable that our automated scanning engine cannot go through such a system.

Example: When this image appears, the user needs to insert the string YHMTWUWK in the character input box in order to create their account.

Image click numeric pad login scheme

Another security mechanism, this login scheme is more common with banks. A common case where it may be deployed is with computers in Internet Cafes. The principle is to display an image containing a numeric pad that will dynamically change the number positions each time a person tries to log in. The user needs to click his code number instead of typing it with the keyboard.

This mechanism first tries to prevent an "automated brute forcer" and also prevents any rogue key logger software that an attacker may have installed on an unsuspecting user's machine. This "key logger" intercepts the keyboard inputs and saves the username and password.

Example: When this image appears, the user needs to enter their own secret code by clicking on the numbers within the keypad. Then the user needs to click the validate button ("Valider" in this example) in order to log into their account.

Two-factor login system

Basically means what you know (username, password, order ID, shipping number, department name, etc.) and what you possess (smart card, certificate, biometrics with fingerprints and dynamic password calculator are good examples).

Multi-step login system

This system spans across different web pages and submissions. For example, a user first enters their bank account number, and then clicks an option to submit. On a new page, the user answers their secret question, submits again, and finally on the third page the user enters their password.