⚠️ If you're thinking of an admin user when adding authentications, please read this article first: Adding an admin user when adding Authentications
Selecting the authentication method
When you select HTTP Authentication you will be presented with the following modal. This authentication type covers challenge-response authentication methods, including:
How to find the information
If you're unsure on where/how to find the information you need, please click the hyperlinks under 'Credentials' or refer to: Where to Find Required Information (at the bottom of this article).
Adding the credentials
Throughout this example we will be using
22.214.171.124 where we are hosting our test application, you may use a fully qualified domain name (FQDN) or IP address
In this example, we are starting our scan from the
/basic/ page of our application (
http://126.96.36.199/basic/). Unlike form-based authentication there is no login URL, instead the login details are sent with every request.
In our example we specify that there is a Logout URL which we want to exclude from scanning (
http://188.8.131.52/basic/logout). It is possible that you do not have a logout URL for your application if it uses HTTP Authentication which is why it's optional, but it's worth noting that your scan may not run correctly if you fail to include a logout URL when one is present in your application.
We specify a Realm of
Fake Realm in our example. To find out what realm you have active on your application please see instructions below.
Username and password
Both of these are mandatory. They should be the values that you have configured for your user in your application.
Once you've added the Authentication you should see it appear under Authentications on the Target Details page:
Where to Find Required Information
This section will explain where you can find the details that need to be entered when you're adding Authentications to a target.
The entrypoint URL tells the scanner where it should start all of it's crawling and scanning from. Most often this will be the root of your web application. Which in our example would be
http://184.108.40.206/ . Please note, there is not a path associated with the URL just a
/ on the end, which you should include if you want the full application to be scanned.
There are times when you won't want to scan from the root of the application, instead you might want to scan a subset. For example, when you have multiple applications running on the same target, but which live at different paths. For our example:
In this case, you would want to add 3 separate authentications each using one of the paths in the list.
The easiest way to find this would be to login to the application and find the Logout button on your page (it may say
Log Out or
Sign Out or something similar). If you hover over the button you'll see the Logout URL in in the bottom of your page, you can also right click and 'Save link address', then paste into Intruder. If that doesn't work, please see our extended explanation.
Realm is sent to your browser by your server when you attempt to access your application. We will walk through this example:
Sometimes you will be able to see the
Realm in the pop-up window which asks you for your username and password. Other times you will need to follow these steps:
Open developer tools
Refresh the page
Networktab you should see a single request to your application (in our example below that is the
passwordpage which is in red on the left-hand side of the developer tools)
Response Headersin the right-hand box you will see a header which starts with
www-authenticateyou are looking for the
realm=value in this header. In our example the value is
Fake Realmwhich we need to add to the
Realmfield of our Authentication.
If you have access to the
curl command on your system you can grab this information quickly by running the following command (substituting
<ENTRYPOINT_URL> with your
curl -s -D- <ENTRYPOINT_URL>
You should see a result like the following, where
Fake Realm is the value you're looking for.
HTTP/2 401 date: Thu, 10 Mar 2022 18:21:58 GMT content-length: 0 server: gunicorn/19.9.0 www-authenticate: Basic realm="Fake Realm" access-control-allow-origin: * access-control-allow-credentials: true