Configuring Form Authentication with OTP
Invicti Enterprise offers various options for authenticating scans, with the most common method being form authentication. Some authentication forms may necessitate the use of a One-Time Password (OTP), whereby a unique code is used for each authentication attempt with the target web application.
Invicti Enterprise supports form authentication using OTP. By providing this type of two-factor authentication via a secret key, the OTP can be filled in automatically so that Invicti Enterprise can access and scan all sections of the target website.
Two OTP types are supported:
- Time-based (TOTP): A temporary passcode generated by an algorithm that uses the current time of the day as one of its authentication factors.
- HMAC-based (HOTP): A password algorithm that uses hash-based message authentication codes (HMAC).
This document explains how to configure form authentication with an OTP secret key when setting up a scan in Invicti Enterprise.
How to retrieve and configure an OTP secret key for authenticated scans
There are three main steps to this configuration:
- Configure the scan profile in Invicti Enterprise
- Retrieve the OTP settings information
- Configure the OTP settings in Invicti Enterprise
Step 1: Configure the scan profile
- In Invicti Enterprise, select Scans > Scan Profiles from the left-side menu.
- Choose the scan profile you want to configure and click Edit. Alternatively, click + New Profile to create a new scan profile.
- Confirm the Target URL.
- In the Scan Settings options, select Form (under Authentication).
- Click the checkbox to enable Form Authentication.
- Enter the Login Form URL. This is the URL (including the protocol HTTP or HTTPS) of the login form that the scanner will access.
- In the Personas section, click + New Persona.
- Enter the Username and Password login details that the scanner will use.
- Click the ellipsis (…) in the OTP column to open the OTP configuration.
You have now completed the first step. After retrieving the OTP settings in Step 2, you will return to the OTP configuration window in Invicti Enterprise to complete the configuration.
NOTE: Every persona has its own OTP settings, so if you have multiple personas you will need to configure OTP for each one if this is required by the web application. |
Step 2: Retrieve the OTP settings
- In the web application that you will scan, choose to configure Two-factor Authentication (2FA) or Multi-factor Authentication (MFA) for the user account you configured as the persona in Step 1.
- The web application will show a QR code that needs to be scanned.
- You will need to use a QR code scanner that shows the data behind the QR code. In our example, we have used Microsoft Lens on Android to scan the QR code.
- From Microsoft Lens, change to Actions, and select the QR CODE options.
- Scan the QR code that is displayed in the web application.
- Microsoft Lens will show the data behind the QR code. The data will be in the form:
otpauth://totp/<user>?secret=<secret>&issuer=<issuer>
For example: otpauth://totp/user%40domain.com?secret=DYBF5RPX2GT42G4RBLBWIKAQFIJL7P33&issuer=Invicti+Enterprise - The above example shows that the OTP Type is TOTP, and the secret is DYBF5RPX2GT42G4RBLBWIKAQFIJL7P33.
- Copy the QR data so that you can add it to Invicti Enterprise in Step 3 below.
Step 3: Configure OTP settings in Invicti Enterprise
- Return to the Invicti Enterprise OTP configuration window and set the OTP Type and Secret Key according to the information you obtained in Step 2 above.
- The other details can be left with the default settings.
- Digit: This field allows you to set the number of digits that will be used for the length of the OTP.
- Period: This field allows you to set the time (in seconds) after which an OTP is regenerated.
- Algorithm: This is the encryption option.
- Click Generate OTP to generate a code. Then, confirm that the OTP settings are working correctly by entering the code in the web application.
- The web application may require you to provide two consecutive codes, in which case, click Generate OTP again and provide the new code to the web application.
- Once ready, click OK to save the scan profile with the OTP settings.
The scan profile is now configured for form authentication with OTP and can be used to scan your target.