Security Research
Showing results for 
Search instead for 
Do you mean 

HP WebInspect Pro Tips: Login Macros

SasiSiddharth ‎05-30-2013 01:36 PM - edited ‎05-31-2013 07:10 AM

Why does a scanner need a login macro?

 A comprehensive security assessment mandates complete coverage of the target application’s attack surface. It is crucial to find and fuzz all possible inputs to the application. A typical web application is partitioned into two major sections – a protected section which requires valid login credentials for access and an unprotected section for public access. It is equally important to assess both the protected and public sections of the target application.


It’s a common misconception that security testing of restricted space is not as important as the public facing parts of the site. This is usually based on an assumption that the user retains only limited access throughout the site or that the authenticated user base does not possess malicious intent. But, there are a number of attacks that can be carried out by an authenticated malicious user and hence it is important to ensure that the web application provides no such opportunity. In order to gain insight into the attack surface exposed by the restricted area of an application, the automated scanner uses a login macro.


What is a login macro?

A login macro is a sequence of execution steps that can be reliably played back in order to acquire a valid state required for accessing restricted application sections. Also, a login macro contains a trigger. A trigger is a hint that would indicate the loss of authenticated state that "triggers" the replay of the login macro to re-acquire valid state. There are different flavors of a trigger:


- Logged-out condition: A pattern that matches the response received when one tries to access a protected page without a valid authenticated state. The macro is replayed when this pattern is detected.

- Logged-in condition: A pattern to recognize protected sections of the site. The macro is replayed when this pattern is NOT detected.

- A combination of the two


HP WebInspect has the capability to use a logged-out condition alone or a combination of both logged out and logged in patterns in order to indicate loss of state.


Troubleshooting Tips

A faulty trigger can cause false positives or false negatives when matching the trigger pattern. The following symptoms could indicate a faulty trigger or an incorrect macro sequence in the scan configuration:


- Slow scans that indicate excessive macro playbacks on the dashboard

- Inaccurate site tree node content that's expected to denote a logged in state, but have responses containing a login form or content typical to unprotected sections

- Errors indicating the inability to play back the login macro

- Invalidated SSO tokens during a scan

About the Author


Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
January 2016
Software Expert Days - 2016
Join us online to talk directly with our Software experts during the online Expert Days - see details below. Software experts do not monitor this foru...
Read more
See board event postings
Vivit Events - 2016
Learn about upcoming Vivit webinars and live events in 2016.
Read more
View all