Unfortunately, there isn't any way for us to verify conclusively if the scanner has authenticated properly. However, through a combination of methods, you can get a good idea of if the scanner has been able to get past the initial login window.
Verification Screenshot
Once you have added the authentication, you will be shown a verification modal that provides the result the scanner receives when it sends a request similar to that used in the scan, using the credentials you supplied:
This modal shows three main elements:
a screenshot of the page shown after logging in
the presence of the Logged In indicator (if applicable and provided in the configuration)
the observed HTTP Response Code (e.g. 200 OK, 401 Unauthorized, 403 Forbidden)
This gives you visibility of what is likely to occur when a full scan is kicked off - if these indicators look valid then you can go ahead and confirm the authentication from here. Alternatively, if one (or more) of these indicators look to be incorrect, then you can select the 'No, edit details
' button to go back and correct the configuration.
If the screenshot looks to be a page residing behind authentication, the logged-in indicator is present (if applicable) and the response code is valid (e.g. 200 OK) then it is likely the authentication will succeed in a full scan.
However, if it looks like the Response is invalid e.g. an HTTP 403 Forbidden code, the screenshot is of the login page or a page not behind authentication, then it would be advised to first go back and confirm the credentials are correct. If you are still experiencing issues with your authentication and have confirmed the parameters are correct, then we would advise attempting a different authentication method, for example:
You may also want to take a look at our additional articles covering some tips and tricks for configuring the scanner for apps using advanced authentication methods
You can also run a verification of your authentication at any point by visiting the Targets page > selecting the Target > clicking on the Authentications tab
> selecting the three dots
> 'Check Status
'
Scanned URLs
Another option would be to evaluate the URLs visited during a scan and compare these to URLs that are known to reside behind the login page. You can find full details on where to find these URLs in the Can I see which pages your scanner visited in an authenticated web app scan? section of our FAQs below.
Server Logs
You can also evaluate any logs you may have on your servers. There isn't one standard response to look for, as it really depends on what you log, but hopefully one of the following will help:
If you log user authentication, then you could look for successful authentication for the user you added in the Authentication Configuration.
If you log the IP address instead of the user account for the authentication, then the IP address to look out for will be in the
203.12.218.0/24
range.If you don't log successful authentications but do log access to pages, then you could look at what pages are being accessed from IPs in the
203.12.218.0/24
range. If one of those pages is only accessible to authenticated users, then this can be used to determine that the authentication was a success.
Frequently Asked Questions
Can I see which pages your scanner visited in an authenticated web app scan?
Yes, you can! If you click on the relevant scan from the Scans page, and click the "Scanned URLs
" tab, you can view a list of URLs that the Authenticated Web-App Scanner has been able to crawl.
โ
If a URL is only accessible behind a login page features on this list then this would indicate that the authentication has succeeded.
If this list only includes non-authenticated URLs (i.e. those not behind the login page), then it might be worth checking the authentication configuration and re-running a scan.
What about authenticated API Scans?
As with web application scans, it is possible to see the list of API Endpoints that have been visited during a scan. If you click on the relevant scan from the Scans page, and click the "Scanned Authenticated URLs
" tab, you can view any API Endpoints visited as part of the scan, under the APIs column. These will be sorted per schema file added - for instance, in the example below you can see the API endpoints visited for the scan using the "Api schema - demo" schema file.
It is important to note that the list of Scanned URLs here will include any of the endpoints listed in the schema. It is currently not possible to confirm if the scanner was able to authenticate to these endpoints, just that it was able to visit the endpoint.