Use AI-assisted Authentication (Early Access)

Learn how to configure AI-assisted Authentication for Polaris fAST Dynamic to simplify DAST scans of sites that require authentication.

Overview

Note: This feature is currently in Early Access. Configuration is supported via updates to the scan settings JSON configuration file. The Polaris Web UI will be updated in a future release.

AI-assisted Authentication for fAST Dynamic uses machine learning, computer vision techniques, and a large language model (LLM) to automate the login process for DAST tests on web application targets.

To set up AI-assisted Authentication, you provide a login URL, username and password, and multi-factor authentication (MFA) details (if needed). When you start a DAST scan, AI-assisted Authentication does the following:

  • Captures screenshots of input forms, buttons (e.g. Login, Submit), and other relevant UI elements.
  • Dismisses cookie popups and banners.
  • Analyzes screenshots with an LLM to create a customized authentication script.
  • Completes all login steps automatically.
  • Triggers a fAST Dynamic DAST scan of the web application.

You do not need to configure CSS selectors, form values, or other advanced authentication settings because they will be auto-detected.

The feature is currently supported for two authentication methods:

  • Simple authentication: Form-based authentication via a username and password. Single-page and multi-page login sequences are both supported.
  • Time-based one-time password (TOTP) MFA and email MFA.

Security controls such as CAPTCHAs and security questions are not supported.

Data privacy

The AI-assisted Authentication feature of Polaris fAST Dynamic communicates with an LLM that runs on a private cloud service. Please note:

  • None of the prompts or responses exchanged between the feature and the LLM are used to:
    • Train or improve the LLM.
    • Improve the LLM provider's other products or services.
  • To facilitate AI-assisted Authentication, screenshots of login pages associated with the login URL that you configure in your authentication profile are sent to the LLM.
  • No source code, site credentials, or confidential information are transmitted to the LLM.
  • Data exchanged between the feature and the LLM is encrypted for storage and transmission.

Enable AI-assisted Authentication

Note that fAST Dynamic does not support multiple authentication profiles at this time. The scanner will default to the first authProfile in the array if multiple profiles are defined.

  1. Create a new JSON file in a text editor.
  2. Configure an authProfile for AI-assisted Authentication. An authProfile is defined as an array of JSON objects under authProfiles. You can copy and paste the following examples:
    Figure 1. Simple auth example
    {
    "version": "0.25",
    "authProfiles": [
        {
            "name": "TestLoginSimple",
            "authenticators": [
                {
                    "loginType": "ai",
                    "settings": {
                        "loginURL": "https://myapp.blackduck.com",
                        "username": "example_user@blackduck.com",
                        "password": "ABCDEFGH"
                    }
                }
            ]
        }
    ]
}
    • name: The name of the authentication profile. Must be unique.
    • authenticators: An array of authentication settings to use with the authProfile.
    • loginType: Set to ai to enable AI-assisted Authentication.
    • loginURL: The URL of the login page of the target web application to scan. This must be accessible to the fAST Dynamic DAST scanner.
    • username: The username used to log in.
    • password: The password used to log in.
    Figure 2. MFA auth example
    {
    "version": "0.25",
    "authProfiles": [
        {
            "name": "TestLoginMFA",
            "authenticators": [
                {
                    "loginType": "ai",
                    "settings": {
                        "loginURL": "https://myapp.blackduck.com",
                        "username": "example_user@blackduck.com",
                        "password": "XXXX",
                        "otpEmail": my-project-ID@mfa.dast.blackduck.com,
                        "otpTimeSecret": "XXXXXXXXXXXXXXXXXXX"
                    }
                }
            ]
        }
    ]
}
    • otpEmail: The Black Duck MFA email address associated with the DAST project, in the format <project-ID>@mfa.dast.blackduck.com. To find the project ID, copy the alphanumeric string after /projects/ in your browser address bar - /projects/<project-ID>. Your web application must be configured to send MFA emails to this email address.
    • otpTimeSecret: The TOTP Secret Key that is configured in your MFA provider, e.g. WCUXRQCOKQJJWMPZ.
  3. Save the file, e.g. scan-settings-ai-auth.json.
  4. In the Polaris Web UI, upload the JSON settings file to the DAST project creation page. You can drag and drop the file to the Upload .json file box or browse for it on your computer.
  5. Complete the other fields on the DAST project creation page. See Create and test DAST projects for web applications and APIs for details.
  6. Save the DAST project.
    Now, you can run a DAST test on the project from the Polaris Web UI. AI-assisted Authentication will attempt to auto-detect the site's login sequence, configure authentication settings, and log in automatically.
    Note: This feature is in Early Access. If AI-assisted Authentication fails during a DAST scan, please open a Support ticket from the Help page in Polaris and provide details of the error. Use a different authentication method, e.g. simple or selenium, as an alternative.