Home Web application scanning How to add form based authentication

How to add form based authentication

Last updated on Aug 07, 2025

What is Form-Based Authentication?

Form-based authentication is a common method for controlling access to a web application. It relies on a user submitting credentials, like a username and password, through a form on a login page. The server processes this information and, if the credentials are valid, it creates a user session and grants access to protected areas of the site.

When you configure this for a web application scanner, you're essentially teaching the scanner how to mimic this human login process. The scanner needs to know the Login URL, the names of the input fields (Username field, Password field), and the actual Username and Password to use. By providing a Logged in pattern, you're giving the scanner a way to confirm that its login was successful, allowing it to proceed with scanning the secured parts of your application.

Adding authentication to a new target

  1. Click add target and select a web application scan, then click next.

  2. Add your target address and other details, then check "Add authentication method".

  3. Select form based authentication

  4. Now you can configure your authentication details

    1. Login URL*: This is the most crucial part. Enter the full URL of the login request. This is not just the login page itself, but the URL the browser posts the login form data to. You can find this using your browser's developer tools by inspecting the login form's action attribute or by watching the network traffic when you log in.

    2. Logout URL: This is an optional but recommended field. Provide the full URL that logs a user out. By giving the web application scanner the logout URL, you ensure it doesn't accidentally scan this page during its normal crawl, which could interrupt the session.

    3. Logged in pattern*: Enter a piece of text or a regular expression that the web application scanner should look for on a page to confirm a successful login. Examples include "Welcome, [username]", "Logout", or "My Account". This is how the web application scanner validates that its login attempt was successful.

    4. Username field* and Password field*: These fields tell the web application scanner the names of the input fields on the login form. The examples username and pass are common, but you'll need to inspect the login page's source code to find the correct name attributes for the username and password fields.

    5. CSRF token field: This is an optional field for applications that use a Cross-Site Request Forgery (CSRF) token. If the login form includes a hidden field for a CSRF token, you'll need to enter its name here. The web application scanner will then automatically extract and submit this token with the login request.

    6. Username* and Password*: These are the actual credentials the web application scanner will use to log in. Enter a valid username and password for a test account that we can use for scanning activities.

    7. Extra Form parameters: If the login form includes other hidden fields or parameters (e.g., a "Remember me" checkbox, a special identifier), you can add them here. You provide the Field name and its corresponding Value.

  5. After filling in all the required fields (marked with an asterisk), you can click Submit to save this authentication configuration for the scan target. The web application scanner will then use this information to authenticate itself before it begins crawling and scanning the application.