⚠️ If you're thinking of an admin user when adding authentications, please read this article first: Adding an admin user when adding Authentications

For more information, please see these articles:
Authenticated Web Application Scanning with Intruder

Authenticated Web Application Scanning FAQs

Throughout this example we will be using where we are hosting our test application, you may use a fully qualified domain name (FQDN) or IP address.

Adding a target

Head to the targets page and click + Add Targets as you would with any other target:

Once you've added your target and optionally added a tag, you will see it appear in your targets list:

If you click on the target name you will be taken to the Target Details page which shows you more detailed information about your target, including:

  • Status

  • Location

  • Last scan date

  • Issues

  • Recent Events

  • Tags

  • License information; and

  • Authentications

Before adding Authentications

⚠️ Please note, at this point in time (v1.0) it is only possible to add Authentications one-at-a-time. You cannot specify a chain of Authentications. Therefore, if the application you would like to scan sits behind Basic HTTP Authentication, and then also requires the user to authenticate using form-based authentication this is not supported. You will need to allow our scanner to bypass your initial authentication.

Please note, you will only see the Authentications section if you have Authenticated Web Application Scanning enabled against your account.

Adding authentications

In the Target Details page you will see a section titled Authentications, clicking the + Add button will allow you to add Authentications.

User-uploaded Image

Once you click on + Add you will be presented with the following modal which will allow you to chose which authentication type you would like to add:

User-uploaded Image

To keep the user guide concise, we have created separate help guides for each of the authentication types, which you can access by clicking the hyperlinks below:

Form Based Authentications

HTTP Authentication

Header Authentication

Session Cookie Authentication

Starting a scan

Once you've added all your authentications to your targets you can start a scan as you normally would.

Go to the Scans page, and click Scan Now. Select the targets you would like to scan, name the scan, and if you're only interested in your web ports (port 80 and 443 over TCP) click the Default Web Ports Only toggle (as shown below).

User-uploaded Image

Please note, that when you start a scan all authentications will be tested – there is no way to specify which authentications you want to include in the scan, currently. This will mean if you have 4 authentications assigned to the target all 4 authenticated scans will be started against the target.

Once you're happy click the Start Scan button. You'll see that the scan has started and will be listed under the In Progress section of the Scans page.

User-uploaded Image

If you click on the View Progress button you'll see how complete (approximately) your scan is. Please note, that this approximation will become more accurate the more scans you run, and that it can some times appear to be stuck on "Analyzing Results" but rest assured we're reviewing the results to make sure they're accurate.

User-uploaded Image

Please note, Authenticated web-app scanning is only available to those with Authentication licenses. If you'd like to learn more about this, head to the chat bot and ask to speak with a member of the team.

Did this answer your question?