Improving application login through login configuration heuristics

During application login, it can be challenging to get an automated program to correctly discover session identifiers, handle JavaScript™ execution, bypass security controls, or identify an "in-session page".

The scan uses a set of login configuration heuristics to identify:

  • unnecessary pages to eliminate from the scan
  • which parameters and cookies should be tracked during the scan
  • the best page to use for in-session page detection

Unnecessary pages

These heuristics will remove pages that are not important for acquiring the session. While this does not resolve “out of session? problems, it will improve scan performance and the performance of the other sets of heuristics. If no unnecessary pages are detected, you will not notice these heuristics at work. Otherwise, you can choose which pages to keep or to delete.

Parameters and cookies

This set of heuristics identifies which parameters and cookies should be tracked during a scan (the scan engine updates the values of these entities from the target site's responses). The heuristics will also identify the user name and password parameters and if JavaScript execution is required during login.

In-session page and pattern

This set of heuristics tries to identify the best page to be used for in-session detection, and then extracts a string from this page that will identify this page as being a “logged in? page.