β οΈ If you're thinking of an admin user when adding authentications, please read this article first: Adding an admin user when adding authentications
β οΈ If you're unsure of where to find the info needed, we have just the article for you.
Before you start
Session cookie authentications can be used to send a specific cookie to the application with every request. This allows you to define one very complex cookie which can then be assigned to the scanner to authenticate to your application.
πΉ Prefer a video walkthrough?
We also have a video tutorial on adding session cookie authentication which you can find here:
Adding the authentication
Throughout this example, we will be using 178.79.154.6
where we are hosting our test application, you may use a fully qualified domain name (FQDN) or IP address
To begin, add the target from the Targets page by clicking on the 'Add Target
' button and selecting 'Add external web application
'. Here you can specify the target, the entrypoint URL, add any tags and then click the 'Add target ->
' button.
Then choose the 'Add an authentication
' option and click 'Add details
':
Select the 'Session Cookie
' option and add the relevant parameters to the configuration:
Entrypoint URL
In this example, we are starting our scan from the /php/
page of our application (http://178.79.154.6/php/
). Unlike form-based authentication there is no login URL, instead the headers you define are sent with every request.
Logout URL
In our example we specify that there is a Logout URL which we want to exclude from scanning (http://178.79.154.6/php/logout
), this will help us make sure that we don't invalidate the cookie you have set.
Cookies
We specify a Cookie Name of PHPSESSIONID
with the value 0123456789abcdef0123456789abcdef
. and a second cookie name Source
with the value set to Intruder
. You can add multiple cookies if you need to.
β οΈ It's worth noting that the cookie session needs to last long enough for a scan to run β we recommend at least a few hours, ideally up to 24 hours.
Verifying the authentication
Complete
Given how nuanced apps are, we don't presume the accuracy of authentication β instead, we show you what the scanner encountered and allow you to decide whether it has worked or not (the screenshot in particular is helpful, as you can use that to gauge if the scanner can access pages behind the login).
You could get any combination of results, here are just a few:
β
β
Managing authentication(s)
Once you've completed this information you will see the authentication appear under the Authentications tab.
β
To disable an authentication
Click ...
> Disable:
β
And the modal will update to this:
β
To re-enable, just click the ellipsis again > Enable
:
β
β