When scanning the "login processing" function, since a payload is also inserted for the password's parameter value, a login error occurs.
If an account lock occurs, it will not be able to correctly scan since you cannot login afterwards.
The method of scanning websites that has account lock function differs by the each case below.
(1)websites that locks an account if login fails for a certain number of consecutive times
(2)websites that count the cumulative number of login errors
In case (1), the scanning method:1 and method:2 are applicable
In case (2), the scanning method:2 is applicable.
*Example of page transition
[1: Login page] → [2: Top page after login]
In pre-processor of [2: top page after log in] (scanning target), set to call up [Login page] → [Top page after login] → [Logout].
You will be able to log in once before the scan with this setting and prevent countinuous authentication failure.
* Depending on the specifications of the application, it is also possible to set the same processing in post-processor setting.
Prepare multiple users for logging in scanning target.
(About 3000 users though it varies depending on the number of parameters)
Set to send different User-ID every time to the login ID's parameter when scanning.
*Example of Sending authentication information with POST parameter
1st time: userid = test001 & pwd = aaaaaa
2nd time: userid = test002 & pwd = aaaaaa
3rd time: userid = test003 & pwd = aaaaaa
By the above scanning setting, it is possible to prevent account locking because authentication is performed with different User-ID every time.
* As for the setting method, please refer to the following manual.
· VEX Handler Guide> "When there is duplication check on data"