N-Stalker Support Articles

Creating an Authentication Web Macro

In this article, you will get an overview on how to create an authentication Web Macro (or navigation scripts), that can assist you on providing custom web form authentication to N-Stalker's scan session. For more details, see N-Stalker User's Guide under "Macro Recorder" section.

1. Open the N-Stalker Security Scanner 2009.

 

 

2. Click on "Macro Recorder" button in the upside bar.



 

3. Fill up the "Macro Name" field and check "This an authentication macro" box.



 

4. Press the "Start Proxy" button to initiate the proxy configuration (default settings are 127.0.0.1:8080).



 

5. Then press the "Start Browser" button to initiate the web browser.



 

6. After your browser is opened, you must go to the application's URL which will handle authentication. In our case, there are two "proof-of-concept" applications involved:
   • www.mock.zmt - A regular application that will not allow you to get in if you don't have valid token;
     
   • auth.mock.zmt- A single sign-on like application whose purposes is to provide you a valid token.

Important Note: Those are not public applications. They were created as a sample -- you will not able to access in your browser!

 

7. Once inside your authentication application, enter your logon credentials:

 



 

8. To test if authentication has succeed, we navigate in the main page (http://www.mock.zmt) which would not allow us to display anything without a valid token.



 

9. N-Stalker has another feature called "Logout detection", which is a simple way to detect a logout pattern so we can authenticate again during the scan session. Click on "Capture Logout" and stay still.



 

10. The following message box must not be closed while testing for a logout pattern. Do not click on "OK" button!



 

11. Go back to your application (in our case http://www.mock.zmt). Now you must click on areas which would demand you to be authenticated (i.e: "My Account", "My Transactions", etc). N-Stalker will remove all valid tokens automatically, forcing a logout pattern to occur.



12. Now go back to N-Stalker's interface and click on "OK" button (now you can!)

 

13. It seems that in our application's case, there are no visible logout patterns (such as redirections) occurring. That means we must manually add one. If your application has a simple redirection, then you are good to go. Otherwise, continue to follow us.



 

14. Head back to your browser and right-click on it. We must "View Source" to find a good pattern.



 

15. It seems that our only choice is "not authenticated" string that is an output to non valid users.



 

16. Add a new logout and enter "200" on the field "Code" and paste the "not authenticated"text on the field "Body Expression" (you are free to use regular expressions).



 

17. Then save the Web Macro file to use it on the scan test.



 

18. Initiate a new scan using the application's URL (http://www.mock.zmt) -- choose your favorite's Scan Policy and click on the "Next" button.



 

19. If  you want to optimize you scan settings press the "Optimize" button.



 

20. Click on "Authentication" tab and under "Web Macro Authentication" combo list, select the Web Macro that you have generated. Then click on the "Next" button to initiate the scan test.



 

21. Review all your configuration and click on "Start Session" to go!



 

22. Press the "Start Scan" button to initiate the scan.