Home Web application scanning

Web application scanning

By Jordi Huntjens

• 3 articles

How to add form based authentication

What is Form-Based Authentication? Form-based authentication is a common method for controlling access to a web application. It relies on a user submitting credentials, like a username and password, through a form on a login page. The server processes this information and, if the credentials are valid, it creates a user session and grants access to protected areas of the site. When you configure this for a web application scanner, you're essentially teaching the scanner how to mimic this human login process. The scanner needs to know the Login URL, the names of the input fields (Username field, Password field), and the actual Username and Password to use. By providing a Logged in pattern, you're giving the scanner a way to confirm that its login was successful, allowing it to proceed with scanning the secured parts of your application. Adding authentication to a new target 1. Click add target and select a web application scan, then click next. 2. Add your target address and other details, then check "Add authentication method". 3. Select form based authentication 4. Now you can configure your authentication details 1. Login URL*: This is the most crucial part. Enter the full URL of the login request. This is not just the login page itself, but the URL the browser posts the login form data to. You can find this using your browser's developer tools by inspecting the login form's action attribute or by watching the network traffic when you log in. 2. Logout URL: This is an optional but recommended field. Provide the full URL that logs a user out. By giving the web application scanner the logout URL, you ensure it doesn't accidentally scan this page during its normal crawl, which could interrupt the session. 3. Logged in pattern*: Enter a piece of text or a regular expression that the web application scanner should look for on a page to confirm a successful login. Examples include "Welcome, [username]", "Logout", or "My Account". This is how the web application scanner validates that its login attempt was successful. 4. Username field* and Password field*: These fields tell the web application scanner the names of the input fields on the login form. The examples username and pass are common, but you'll need to inspect the login page's source code to find the correct name attributes for the username and password fields. 5. CSRF token field: This is an optional field for applications that use a Cross-Site Request Forgery (CSRF) token. If the login form includes a hidden field for a CSRF token, you'll need to enter its name here. The web application scanner will then automatically extract and submit this token with the login request. 6. Username* and Password*: These are the actual credentials the web application scanner will use to log in. Enter a valid username and password for a test account that we can use for scanning activities. 7. Extra Form parameters: If the login form includes other hidden fields or parameters (e.g., a "Remember me" checkbox, a special identifier), you can add them here. You provide the Field name and its corresponding Value. 5. After filling in all the required fields (marked with an asterisk), you can click Submit to save this authentication configuration for the scan target. The web application scanner will then use this information to authenticate itself before it begins crawling and scanning the application.

Last updated on Aug 07, 2025

How to add session cookie authentication

Session Cookie Authentication 🍪 Session cookie authentication is a method where a client proves its identity by presenting a valid session cookie to the server. This cookie is a small piece of data that the server sends to the client after a successful login. It acts as a token that identifies the user's session, so the user doesn't have to re-enter their credentials on every page request. The server uses this cookie to determine the user's logged-in state and associated permissions. Configuring Session Cookie Authentication for a Web Application Scanner When you configure a web application scanner to use session cookie authentication, you're essentially providing it with a key to an already open door. You don't need to teach the scanner how to log in; you just give it the proof of a successful login. Here's a step-by-step guide to configuring this: Get the Session Cookie The most crucial step is to obtain a valid session cookie from an active, logged-in session. To do this, you'll need to manually log in to the web application using your browser. Once logged in, use your browser's developer tools (often accessible by pressing F12) to inspect the network requests. Look for a request to a protected page and find the Cookie header. This header contains the session cookie and any other cookies the application is using. Copy the entire cookie string. Adding authentication to a new target 1. Click add target and select a web application scan, then click next. 2. Add your target address and other details, then check "Add authentication method". 3. Select session cookie based authentication 4. Now you can configure your authentication details 1. Entrypoint URL*: This is the URL that the web application scanner will first visit when it begins crawling the application. It's often a page that requires authentication, such as the user's dashboard or profile page, to ensure the provided cookie is valid from the start. 2. Cookie Name and Value: Paste the cookie string you copied from the browser's developer tools here. Some scanners might require you to provide the cookie's name and value separately, while others may accept the entire string. For example, a cookie might look like JSESSIONID=A1B2C3D4E5F6. In this case, JSESSIONID is the name and A1B2C3D4E5F6 is the value. 3. Logged In Pattern: Just like with form-based authentication, you'll need to provide a logged in pattern. This is a piece of text or a regular expression that the scanner will look for on a page to confirm that the cookie is still valid and the session is active. Examples could be "My Account," "Logout," or "Welcome, [username]." 5. After filling in all the required fields (marked with an asterisk), you can click Submit to save this authentication configuration for the scan target. The web application scanner will then use this information to authenticate itself before it begins crawling and scanning the application.

Last updated on Aug 07, 2025

How to add header-based authentication

Configuring Session Cookie Authentication for a Web Application Scanner When you configure a web application scanner to use header authentication, you're essentially providing it with a key to an already open door. You don't need to teach the scanner how to log in; you just give it the proof of a successful login. Here's a step-by-step guide to configuring this: Get the Authentication header The first step is to get the specific header that the web application uses to authenticate requests. This is typically done after a successful login. 1. Log in Manually: Log into the web application using your browser as you normally would. 2. Open Developer Tools: Use your browser's developer tools (often by pressing F12 or Ctrl+Shift+I) to inspect network requests. 3. Inspect a Protected Request: Navigate to a page that requires authentication. In the network tab of the developer tools, select the request for that page. 4. Find the Header: In the request details, look for the headers section. The authentication token is often found in a header like Authorization , which might contain a value like Bearer <token>, or a custom header defined by the application. Copy the entire header, including the name and its value (e.g., Authorization: Bearer abc123xyz). Adding authentication to a new target 1. Click add target and select a web application scan, then click next. 2. Add your target address and other details, then check "Add authentication method". 3. Select session cookie based authentication 4. Now you can configure your authentication details 1. 1. Entrypoint URL This remains the same. It's the URL the scanner first visits. It should be a page that's only accessible after a user has authenticated. 2. Header Name and Value Instead of a "cookie name and value," you'll provide the header name and its value. The header name is typically Authorization, and the value is the authentication token. For example, the full header might look like Authorization: Bearer A1B2C3D4E5F6. In this case, Authorization is the name, and Bearer A1B2C3D4E5F6 is the value. 3. Logged In Pattern This is the same as before. It's the text or pattern the scanner looks for to confirm the session is active. It ensures the token is working as expected. 5. After filling in all the required fields (marked with an asterisk), you can click Submit to save this authentication configuration for the scan target. The web application scanner will then use this information to authenticate itself before it begins crawling and scanning the application.

Last updated on Aug 07, 2025