⚠️ Important: If you're thinking of an admin user when adding authentications, please read this article first: Adding an admin user when adding authentications
💡Tips: If you're unsure of where to find the info needed, we have just the article for you.
Before you start
Session cookie authentications can be used to send a specific cookie to the application with every request. This allows you to define one very complex cookie, which can then be assigned to the scanner to authenticate to your application.
📹 Prefer a video walkthrough?
We also have a video tutorial on adding session cookie authentication, which you can find here:
Adding the authentication
Throughout this example, we will be using vulnerablesite.intrud.es where we are hosting our test application, you may use a fully qualified domain name (FQDN) or IP address
To begin, add the target from the Targets page by clicking on the 'Add Target' button and selecting 'Add external web application'. Here you can specify the target, the entrypoint URL, add any tags, and then click the 'Add target ->' button.
⬇️
Then choose the 'Add an authentication' option and click 'Add details':
Select the 'Session Cookie' option and add the relevant parameters to the configuration:
⬇️
Entrypoint URL
The entrypoint URL tells the scanner where to start its crawling and scanning. The scanner will crawl and test anything it finds under the root of that entrypoint, so if you add https://example.com/example_path as your entrypoint URL, we'll permit anything discovered under https://example.com/*. In the example above, our entrypoint URL is http://vulnerablesite.intrud.es/index.php.
Please note that, unlike form-based authentication, there is no login URL. Instead, the cookies you define are sent with every request.
Logout URL
The Logout URL will be excluded from scanning. This will help us make sure that we don't invalidate the cookie. The easiest way to find this would be to log in to the application and find the Logout button on your page (it may read 'Log Out', 'Sign Out', or something similar). If you hover over the button you'll see the Logout URL at the bottom of your page. You can also right-click and 'Save link address', then paste it into Intruder.
In the example above, our logout URL is http://vulnerablesite.intrud.es/DVWA/logout.php.
Cookies
Cookies will be sent with every request made by the scanner, ensuring it remains authenticated throughout the scan.
In the example above, our cookie name is PHPSESSID and the value is 17gm1jgiscqupggjfm8o3nhqlt
⚠️ Important: The cookie session needs to last long enough for a scan to run. We recommend at least a few hours, ideally up to 24 hours.
Allowed Domains
This section lets you specify additional domains that your application depends on, so those requests are permitted to complete during a scan. The scanner will also run a limited set of security checks on those network requests. Please check out this article for more information.
Verifying the authentication
In progress
Before you get any responses, it'll look like this:
Complete
Given how nuanced apps are, we don't presume the accuracy of authentication – instead, we show you what the scanner encountered and allow you to decide whether it has worked or not (the screenshot in particular is helpful, as you can use that to gauge if the scanner can access pages behind the login).
You could get any combination of results; here are just a few:
Managing authentication(s)
Once you've completed this information, you will see the authentication appear under the Authentications tab.
To disable an authentication
Click ... > Disable:
And the modal will update to this:
To re-enable, just click the ellipsis again > Enable:
To check the status of the authentication
Click the ellipsis > Check status:
The next modal to pop up will be this one, where you can confirm the authentication, edit the details, or close the modal and disable the authentication.
