Tipps and tricks

Login to applications with CSRF-tokens

Some applications provide login forms that have a hidden field with some random value in it. This random value is generated by the application by every request and must match during the POST of the form. This prevents CSRF attacks, because an attacker cannot know the random token. Therefore we need two steps. First we use a "CSRF From Token Extraction Step" that extracts the hidden value holding the form token. Then we use the "HTTP POST On Behalf Login Step" that POSTs the form using the username, password and CSRF-token from the shared information of the steps. Be sure to select "Store Password In Session Ticket" option in the "Security Settings" such that the password is available.

Investigation of the target applications login mechanism

A good start in defining the steps is to perform a login into the back-end system (without Airlock IAM) with a browser's network tracing tool enabled. Then you can basically rebuild the recorded interaction steps in the network tracing tool as "Identity Propagation Steps". We have successfully used Firebug, Tamper Data, or HTTP Live Header plugins.