AnsweredAssumed Answered

WAS Bruteforce Settings and Auth Records

Question asked by Jayson Coulter on Apr 22, 2019
Latest reply on Apr 24, 2019 by Jayson Coulter

Afternoon All,

First-time poster, long time lurker. I could use some insight into WAS Bruteforce Settings, the differences between the option levels, and if the Bruteforce attempt utilizes the 'Standard Login' authentication record User Name.

I tried to provide as much information as possible without over wording this post, but am happy to provide as much information as I can.

I am currently troubleshooting why a web application scan that utilizes the Bruteforce Setting: Standard and a 'Standard Login' authentication record keeps locking out the test account being used. The account, as do all accounts in my company, has a global threshold of 5 incorrect attempts before the account is locked out. The authentication record is denoted as successful, but by the end of the scan, the account is locked out. My Accounts and Access Management team have correlated the lockout logs with the same time as the scans. The account logs show the scanning service logging into the application, attempts to log in with the test username and bad passwords, the lockout, and continued attempts at logging in. I would be better able to correlate the lockout if the scan diagnostics of the scan included time stamps of each, but unfortunately, it does not. So far, however, the scan begins at 1800 and the lockout occurs 1808.

Scan Diagnostics From Scan in Question:
Batch #4 Login Brute Force manipulation: estimated time < 30 minutes (1936 tests, 1 inputs)
Batch #4 Login Brute Force manipulation: 1936 vulnsigs tests, completed 1936 requests, 3887 seconds. Completed 1936 requests of 1936 estimated requests (100%). All tests completed.

The Bruteforcing Setting: Custom does denote that if a Lockout mechanism is in place, Qualys admins should utilize the Custom setting with the maximum number of passwords that can be tried.

Question 1
If a 'Standard Login' authentication record and a Bruteforce Setting: Standard are utilized in the same application scan, will the Bruteforce attempt inherit or use the username from the 'Standard Login' authentication record?
This is one of a handful of authentication records that utilize 'Standard Login' instead of a selenium script. I am reluctant to blame the combination of these features because I have other applications that utilize the same Option Configuration Bruteforce setting and the 'Standard Login' record combination with not reported issue.

Question 2
The Help Tips for Bruteforcing Settings when creating a WAS Option Profile provides the following definition for the minimal Settings.
'(empty passwords + UID = password) Test the username as a password and the empty password.
What exactly is the UID and where does it come from?

Thank you for your time,
- Jay