One-Time Password (OTP) view

If required by your application, configure AppScan® to use OTP when logging in.

If your application uses OTP, select one of the two options, otherwise leave the default setting: None.

When you record the login procedure, AppScan will extract the relevant parameters from the traffic and add them to the OTP HTTP-parameters list. They will also be added to the OTP entry in Automatic Form Fill view. If AppScan fails to identify the parameters, you must add them yourself, either in this view or in Automatic Form Fill view.
Limitations:
  • Only one OTP type (TOTP or URL-generated) is supported per scan.
  • For TOTP only numerical values are supported.
  • OTP is supported only when the Chromium browser is used to record the Login. It is not supported if Internet Explorer is used.
To see our short video demo, click the icon below:

Option Description

TOTP

For time-based one-time passwords, you must provide AppScan with:
  • Secret key
  • OTP length (number of digits)
  • Hash algorithm used (select from the dropdown)
  • Time step (in seconds)
Tip: The times on the AppScan machine and the tested server must both be accurate.

URL-generated OTP

If the OTP is accessible from a designated URL, you can configure AppScan to extract it from the URL’s response. You must provide AppScan with:
  • URL
  • Regular expression that will identify the OTP in the URL response.

None

OTP is not used by the site, or scanning those pages that use OTP is not required.

Details

OTP HTTP-parameters

If you have selected one of the OTP types, then when you validate the login procedure, AppScan will identify the required parameters needed from the traffic, and add them to the Automatic Form Fill list. They will also be shown here.

If AppScan® fails to identify the parameters, you must add them yourself. Parameters must be comma separated.