Configuring form authentication with OTP
When running authenticated scans, some targets may necessitate the use of a One-Time Password (OTP), which involves using a unique code for each authentication attempt with the target web application. Acunetix supports form authentication using Time-based One-Time Passwords (TOTP) in conjunction with the auto-login option or with a pre-recorded login sequence. When OTP is configured in the target settings, Acunetix can access and scan all sections of the target website.
This document explains how to configure a target in Acunetix so that the scanner uses an OTP secret key for form authentication. It also includes specific instructions for using OTP with a login sequence (LSR).
How to configure a target with an OTP secret key for authenticated scanning
PREREQUISITES:
|
Step 1: Retrieve the OTP secret key
- Go to the target web application and enable Two-factor Authentication (2FA) or Multi-factor Authentication (MFA) for the user account that Acunetix will use when scanning the target web application.
- Scan the QR code displayed on the target web application using a QR code scanner that shows the data behind the QR code. (If using Microsoft Lens, change to Actions, and select the QR CODE options before scanning the QR code).
- Check that the QR code scanner has displayed the data. It should look something like this: otpauth://totp/<user>?secret=<secret>&issuer=<issuer> Additional information may be in the string, such as &digit=6, &period=30, and &algorithm=sha1, but the most important information to check for is TOTP authentication, and the secret key must be in Base32.
- Copy the secret key so that you can enter it into Acunetix in the next step.
Illustrative example
In the image below, the data string behind the QR code is: otpauth://totp/<user>?secret=DYBF5RPX2GT42G4RBLBWIKAQFIJL7P33&issuer=<issuer>
This tells us that the OTP type is TOTP and the secret key is: DYBF5RPX2GT42G4RBLBWIKAQFIJL7P33.
Step 2: Set up OTP in your target settings
- Log in to Acunetix and select Targets from the left-side navigation menu.
- Click on the relevant target address in your list of targets to access the Target Settings page.
- Click the Site Login toggle if it is not already enabled. This expands the site login settings panel.
- Ensure the correct form authentication option is selected:
- Try to auto-login into the site (If this option is selected, ensure you enter the necessary credentials in addition to setting up OTP.)
or
- Use pre-recorded login sequence (If this option is selected, ensure you refer to the additional information later in this document about using OTP with a login sequence.)
- Click Setup OTP.
- Paste in the secret key that you retrieved after scanning the QR code.
- Leave the other details with the default settings unless your OTP authentication specified different values. (For example &algorithm=sha256 in the string would necessitate selecting Sha256 for the Algorithm).
- Digit: This field sets the number of digits that will be used for the length of the OTP.
- Period: This field sets the time (in seconds) after which an OTP is regenerated.
- Algorithm: This is the encryption option.
- Click Save.
A success message confirms that the target is now configured for OTP form authentication when scanning.
Using OTP with a login sequence (LSR)
Setting up OTP in conjunction with a pre-recorded login sequence requires some additional steps. Follow the instructions below to ensure your login sequence correctly incorporates OTP:
- Configure your target with the OTP secret key according to the instructions outlined above in this document.
- Click New to launch the Login Sequence Recorder.
- In the LSR window, navigate to the login form and input the required login details (for example, username and password).
- In the OTP (2FA/MFA) field, right-click and select Insert OTP Value. This tells the LSR to generate the OTP code and input it into the field. The recorded action in the right side panel will show the value as "{{otp}}".
- Complete any other actions to perform a successful login and ensure these are recorded correctly in the LSR. Click Play in the bottom left corner to confirm the OTP is being generated into the flow correctly.
- Click Next and complete the login sequence recording by recording restrictions and detecting the user session. For more information, refer to Recording a login sequence.
- Click Finish to save the LSR file to your target.
Your target is now configured with a login sequence that includes OTP form authentication. The Acunetix scanner will use this login sequence the next time you run a scan of this target.
Troubleshooting
How can I tell that OTP is configured correctly as part of the LSR flow?
When viewing your saved login sequence the following things indicate there's an active OTP configuration:
- Right-click on any input field and the Insert OTP Value option is available.
- There is a recorded action with value {{otp}} in the right-side panel, rather than the specific value you inserted in the field.