Sometimes, when running an authenticated application scan, you will find that the scanner can authenticate once, but fails on subsequent runs (you may even see both a success and a failure within one scan). If you then try to log in to the target application using the same credentials you may find they have been locked out.
There are two likely causes for this:
The Scanner has Changed the Password
The application may present a route for changing the password which does not require an out-of-band link or MFA token. In this case, the scanner may submit the form to change the password without realizing that's what the form does. On the next login attempt, the scanner will try the original password and fail (as will manual login attempts).
This can be avoided by adding the URL that the form submits to the scan's Denied Targets.
You may also want to look into modifying the route to include an out-of-band link or MFA token.
The Account Has Been Locked Out due to Protective Measures on the Scanned Systems
There are two potential reasons your application (or the systems around it) may lock out the account. This is something the system owner will need to determine - AppCheck do not have the necessary visibility of the relevant systems to determine this.
A Defensive System Has Identified The Scanner as Malicious due to Requests That Look Like Attacks
A WAF/IPS which identifies the scanner as an attacker would usually lock out the scanner by IP address (see Allowing AppCheck Access to Your Network or Applications), but a software solution within your application may instead lock out the account in use.
There is no tweak that can be done within the scan configuration to avoid this situation: requests from the scanner look like attack requests - that is the core of what the scanner does.
In this case, the solution is to disable such precautions during the scan (eg by disabling them for the account in question, or for the environment being scanned).
A Defensive System Has Identified The Scanner as Malicious due to the Rate of Requests
If the scanned system is locking out an account based on the request rate there are options to reduce this, but be aware these will make the scan take considerably longer. It would be preferable to disable such precautions during the scan (eg by disabling them for the account in question, or for the environment being scanned).
If you do wish to lower the request rate of the scan, see our FAQ Minimising Risk of Web Application Scanning, specifically the section Attack Payload Scan Intensity.
Article is closed for comments.