Security Research
Showing results for 
Search instead for 
Do you mean 

HP WebInspect Pro Tips: Login Macros

SasiSiddharth ‎05-30-2013 01:36 PM - edited ‎05-31-2013 07:10 AM

Why does a scanner need a login macro?

 A comprehensive security assessment mandates complete coverage of the target application’s attack surface. It is crucial to find and fuzz all possible inputs to the application. A typical web application is partitioned into two major sections – a protected section which requires valid login credentials for access and an unprotected section for public access. It is equally important to assess both the protected and public sections of the target application.


It’s a common misconception that security testing of restricted space is not as important as the public facing parts of the site. This is usually based on an assumption that the user retains only limited access throughout the site or that the authenticated user base does not possess malicious intent. But, there are a number of attacks that can be carried out by an authenticated malicious user and hence it is important to ensure that the web application provides no such opportunity. In order to gain insight into the attack surface exposed by the restricted area of an application, the automated scanner uses a login macro.


What is a login macro?

A login macro is a sequence of execution steps that can be reliably played back in order to acquire a valid state required for accessing restricted application sections. Also, a login macro contains a trigger. A trigger is a hint that would indicate the loss of authenticated state that "triggers" the replay of the login macro to re-acquire valid state. There are different flavors of a trigger:


- Logged-out condition: A pattern that matches the response received when one tries to access a protected page without a valid authenticated state. The macro is replayed when this pattern is detected.

- Logged-in condition: A pattern to recognize protected sections of the site. The macro is replayed when this pattern is NOT detected.

- A combination of the two


HP WebInspect has the capability to use a logged-out condition alone or a combination of both logged out and logged in patterns in order to indicate loss of state.


Troubleshooting Tips

A faulty trigger can cause false positives or false negatives when matching the trigger pattern. The following symptoms could indicate a faulty trigger or an incorrect macro sequence in the scan configuration:


- Slow scans that indicate excessive macro playbacks on the dashboard

- Inaccurate site tree node content that's expected to denote a logged in state, but have responses containing a login form or content typical to unprotected sections

- Errors indicating the inability to play back the login macro

- Invalidated SSO tokens during a scan

0 Kudos
About the Author


27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all