Description
SC DAST Login Macro initial troubleshooting info
The following information can be collected when you are running SC DAST scan using login macro.
Solution
1). What versions are you using for the following:
A). Did you scan this same web-application in the past properly? What has changed now from the past?
B). Are you able to scan a different web-application with similar configuration you are trying to scan?
C). Macro recorder client version:
D). SC DAST Sensor WebInspect version:
E). SC DAST Sensor Application Version
F). SSC version:
2). Please provide the login macro.
3). Do you allow to play the Macro recorder as needed for further checks?
4). Please let us know the step in the login macro where the authentication fails.
For example:
For step:
"Click on Signin button"
"Sign in"
"Click on "Password" passwordbox"
Open "Object" and check:
"ID Method": Automatic
XPath
JavaScript
Descriptors
Reference:
Page 200
https://www.microfocus.com/documentation/fortify-webinspect/2420/WI_Tools_Guide_24.2.0.pdf
5). Please provide an export of the .scan file having “Enable Traffic Monitor” in DAST scan setting activated.
6). Please provide the scan Id and sensor name where the scan happens in Fortify ScanCentral DAST.
7). What IDP (Identity Provider) do you have implemented?
Examples: Azure IDP only, ADFS, PingFederate, Okta, etc.
8). Is this internal or external web application?
9). Do you have SSO or Seamless SSO to the website?
Azure Entra reference: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso
10). Are you using any of these for authentication to login to the web application:
A). MFA
Macro recorder set up reference: TruClient Demo: How to scan apps with Multi-Factor Authentication
https://www.youtube.com/watch?v=BxC5SeADhdA
B). 2FA (it requires to set up Fortify 2Fa app in your phone)
Macro recorder set up reference: 2FA Support in Fortify DAST
https://www.youtube.com/watch?v=g3hH7J_TFZk
C). Basic username and password
Macro recorder set up reference: Parameterized Login Macros in WebInspect
https://www.youtube.com/watch?v=08EvLzrpCs8
Note:
- 2FA requires you to use one additional authentication method in addition to your username and password.
- MFA requires two or more additional authentication methods to your username and password.
11). If using MFA or 2FA, what type of authentication methods do you have enabled for this website?
Microsoft Authenticator App
TOPT
Phone Authenticator
SMS
Voice phone call
Certificate-based authentication
Email OTP
Examples:
https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods-manage
12). Are you also using either Network Proxy, Site Authentication, Client Certificate or Network Authentication within DAST scan settings?
13). Please provide a set of screenshots, step by step of the authentication process when you regularly login to the webpage.
14). Also, please provide a set of screenshots, step by step of the error message you get with the macro recorder.
15). Are you using the same configuration described on the answers for the above questions across all the applications you scan in DAST, or does it change per application?
16). Only, if possible, may you send us a video of the macro recorder with the steps you’ve taken? It would help us better understand the issue and assist you more effectively?
Please check the following KB which has solutions to some known issues with Login macros:
SC DAST Login Macro known issues & troubleshooting
https://support.cyberreshelp.com/hc/en-us/articles/29987131485463-SC-DAST-Login-Macro-known-issues-troubleshooting