Our [authenticated] web-app scanner is built exclusively for web-apps and the servers that host them, focusing primarily on the web-apps' functionality and the configuration of services running on it.
What if my app doesn't require authentication?
Not to worry โ you can still use the [authenticated] web-app scanner, you just need to make sure you provide placeholder authentication so the web-app scanner is activated when the scan starts.
The steps to do this can be seen below:
1. Find the target in the Targets page and click into its Target Detail Page:
2. Click the Authentications tab and click Add Authentication
3. Select Header Authentication and enter the following credentials:
Name: Unauthenticated
Entrypoint URL: The URL of the target e.g.
https://testphp.vulnweb.com
Header Name:
X-Auth-Token
Header Value:
Bearer Tm90IGEgdmFsaWQgYXV0aCB0b2tlbg==
4. Hit 'Save authentication
'.
Now, whenever you kick-off a scan on this target, it will be checked for all the usual infrastructure checks conducted by the underlying scanning engine (openVAS for Essential users and Tenable for Pro, Premium and Vanguard), plus checks from our web-app scanner.