Skip to main content

How to add HTTP authentication

Your 'how to' guide for adding HTTP authentication

Written by Naomi Purvis

⚠️ Important: If you're thinking of an admin user when adding authentications, please read this article first: Adding an admin user when adding authentications

πŸ’‘Tip: If you're unsure of where to find the info needed, we have just the article for you.

πŸ’‘Tip: You can also add, view, update and delete authentications from your targets using our API. This can help if you wish to integrate vulnerability scanning as part of your CI/CD pipeline or otherwise update the authentication credentials automatically.

πŸ“Ή Prefer a video walkthrough?

We also have a video tutorial on adding HTTP Basic authentication, which you can find here:

πŸŽ₯ Video: How to add HTTP Basic authentication

Adding a new target with authentication

Throughout this example, we will be using 44.203.103.184 where we are hosting our test application. ​

  1. Targets > Add target > External web application
    ​

  2. Type the target into the top box, add the Entrypoint URL and any tags (if applicable), and then click the Add target button.
    ​

  3. Select the 'HTTP (Basic, Digest and NTLM)' option and add the relevant parameters to the configuration, then click the 'Next ->' button.
    ​


    Add the HTTP Authentication parameters:
    ​

Adding the Authentication to a pre-existing target

  1. Head back to Targets > All > ... > Add authentication
    ​

  2. Click the 'HTTP (Basic, Digest and NTLM)' option:
    ​

Adding the authentication

Throughout this example, we will be using 44.203.103.184 where we are hosting our test application, you may use a fully qualified domain name (FQDN) or IP address.

​

​

Entrypoint URL

The entrypoint URL tells the scanner where to start its crawling and scanning. The scanner will crawl and test anything it finds under the root of that entrypoint, so if you add 'https://example.com/example_path' as your entrypoint URL, we'll permit anything discovered under 'https://example.com/*'.

Unlike form-based authentication, there is no login URL. Instead, the login details are sent with every request.

Logout URL

In our example, we specify that there is a Logout URL that we want to exclude from scanning. It is possible that you do not have a logout URL for your application if it uses HTTP authentication, which is why it's optional, but it's worth noting that your scan may not run correctly if you fail to include a logout URL when one is present in your application.

The easiest way to find this would be to log in to the application and find the Logout button on your page (it may read 'Log Out', 'Sign Out', or something similar). If you hover over the button you'll see the Logout URL in in the bottom of your page, you can also right click and 'Save link address', then paste into Intruder.

Realm

The Realm is sent to your browser by your server when you attempt to access your application. Sometimes you will be able to see the Realm in the pop-up window, which asks you for your username and password. Other times, you will need to follow these steps:

  • Open developer tools

  • Refresh the page

  • Under the Network tab, you should see a single request to your application (in our example below, that is the password page, which is in red on the left-hand side of the developer tools)

  • Scroll to Response Headers in the right-hand box you will see a header which starts with www-authenticate you are looking for the realm= value in this header.

If you have access to the curl command on your system, you can grab this information quickly by running the following command (substituting <ENTRYPOINT_URL> with your Entrypoint URL:

curl -s -D- <ENTRYPOINT_URL>

You should see a result like the following, where 'Fake Realm' is the value you're looking for.

HTTP/2 401 date: Thu, 10 Mar 2022 18:21:58 GMT content-length: 0 server: gunicorn/19.9.0 www-authenticate: Basic realm="Fake Realm" access-control-allow-origin: * access-control-allow-credentials: true

Username and password

Both of these are mandatory. They should be the values that you have configured for your user in your application.

Allowed Domains

This section lets you specify additional domains that your application depends on, so those requests are permitted to complete during a scan. The scanner will also run a limited set of security checks on those network requests. Please check out this article for more information.

Verifying the authentication

In progress

Before you get any responses, it'll look like this:
​

Complete

Given how nuanced apps are, we don't presume the accuracy of authentication – instead, we show you what the scanner encountered and allow you to decide whether it has worked or not (the screenshot in particular is helpful, as you can use that to gauge if the scanner can access pages behind the login).


You could get any combination of results, here are just a few:
​

Managing authentication(s)

Once you've completed this information, you will see the authentication appear under the Authentications tab.
​

To disable an authentication

Click ... > Disable:
​

And the modal will update to this:
​

To re-enable, just click the ellipsis again > Enable:
​

To check the status of the authentication

Click the ellipsis > Check status:
​

The next modal to pop up will be this one, where you can confirm the authentication, edit the details, or close the modal and disable the authentication.
​


​

Related Articles
How to add form-based authentication
How to add header-based authentication
How to add session cookie authentication
How to add a recorded login
How to add OAuth 2.0 authentication
Did this answer your question?