Before you start
The information below is required for our scanner to know where in your application to start scanning from, how to submit the login request, and what URL to avoid so that the scanner doesn't get logged out. A few extra tips:
https://is required on your URLs
Login page URLis optional but will be beneficial when our scanner tries to retrieve and update anti Cross-site Request Forgery (anti-CSRF) tokens
Logged in patternis optional but will help our scanner identify when it has authenticated correctly and if it needs to re-authenticate during the scan.
Adding the target
Throughout this example, we will be using
vulnerablesite.intrud.es where we are hosting our test application.
⚠️ If you're unsure of where to find the info needed, we have just the article for you.
Choosing the authentication method
Head back to Targets > All >
Adding the authentication
Verifying the authentication
Given how nuanced apps are, we don't presume the accuracy of authentication – instead, we show you what the scanner encountered and allow you to decide whether it has worked or not (the screenshot in particular is helpful, as you can use that to gauge if the scanner can access pages behind the login).
You could get any combination of results, here are just a few:
Once you've completed this information you will see the authentication appear under the Authentications tab.
To disable an authentication
... > Disable:
And the modal will update to this:
To re-enable, just click the ellipsis again >