How to scan an unauthenticated web-app

Instructions for adding placeholder authentication so you can scan your unauthenticated web-app

Joe Haigh avatar
Written by Joe Haigh
Updated over a week ago

Our [authenticated] web-app scanner is built exclusively for web-apps and the servers that host them, focusing primarily on the web-apps' functionality and the configuration of services running on it.

What if my app doesn't require authentication?

Not to worry – you can still use the web-app scanner, when adding a new target as an external web app and we'll automatically add some dummy credentials to allow our scanner to kick of an unauthenticated scan!

For newly added web application targets

To do so head to the Targets page and click the yellow Add target button where you can then click add External web application:

Next, fill add the details of the web app you'd like to scan:

After clicking Add target, to scan the target with only unauthenticated targets

And that's you all set! You'll then be taken to the scan detail page where you can kick off a scan of your new target if needed by hitting Scan now in the top right corner.


For existing infrastructure targets

Alternatively, if the target was previously added as an infrastructure target, the steps to add dummy credentials can be seen below:
​
1. Find the target in the Targets page and click into its Target Detail Page:

2. Click the Authentications tab and click Add Authentication

3. Select Header Authentication and enter the following credentials:

  • Name: Unauthenticated

  • Entrypoint URL: The URL of the target e.g. http://testphp.vulnweb.com

  • Header Name: X-Auth-Token

  • Header Value: Bearer Tm90IGEgdmFsaWQgYXV0aCB0b2tlbg==

4. Hit 'Save and verify authentication'.


Now, whenever you kick-off a scan on this target, it will be checked for all the usual infrastructure checks conducted by the underlying scanning engine (openVAS for Essential users and Tenable for Pro, Premium and Vanguard and Nuclei for Premium and Vanguard), plus checks from our web-app scanner.

Did this answer your question?