Describe the application's login responses

About this task

In the Successful Login Detection window, you enable Authentication Tester to recognize login requests as either successful or failed. This information is necessary to know when the web application has accepted credentials as valid.

Some default Success responses appear in the list by default, but you should edit the list to include any and all responses that are specific to your application.

Procedure

  1. Select the type of response that you want to describe:
    • Success Response: The response to a valid login attempt
    • Error Response: The response to an invalid login attempt
  2. Enter a text string or regular expression (regexp) that matches some content on the response page. (Be sure to match only static content, not variables.)

    For example, if you know that invalid credentials often receive a response of: "Username and password do not match" you can use this to let Authentication Tester know the result of its tests.

    The use of regular expressions, rather than strings, allows you to configure Authentication Tester once for multiple runs during the development stages of your web application.

    For example, if the design of the successful-login page has not yet been finalized between a large, full page Welcome! note or a small welcome string at the top of the home page, you can enter (?i)welcome to indicate that the search word is case-insensitive.

    Tip: To learn more about regexps, and the metacharacters that can be used to indicate more than literal strings, see About metacharacters. To test regular expressions before attempting to use them in Authentication Tester, try the Expression Test PowerTool.
  3. Click Add.

    The regexp is added to the list of responses.

    You can add as many regexps as you want. Authentication Tester uses them with an OR operator: if one or more of the regular expressions matches content on a page of your site, that page is recognized as a result page (either successful login or error page, depending on your response type selection).

  4. To remove unwanted regexps from the list, select the regexp and click Remove.
  5. Click OK.

    The Successful Login Detection window closes and you are returned to the main window. You can now run brute force tests using the current configuration (see Running authentication tests).