All Collections
Web-application scanning
How to know if the scanner authenticated properly
How to know if the scanner authenticated properly

In lieu of an in-app solution, we have some suggestions that might help...

Naomi Purvis avatar
Written by Naomi Purvis
Updated over a week ago

Unfortunately, there isn't any way for us to verify conclusively if the scanner has authenticated properly. For now, the best way to check would be to have a look through the URLs visited and compare these to URLs that are behind the login page.

You can also evaluate any logs you may have on your servers. There isn't one standard response to look for, as it really depends on what you log, but hopefully one of the following will help:

  • If you log user authentication, then you could look for successful authentication for the user you added in the Authentication Configuration.

  • If you log the IP address instead of the user account for the authentication, then the IP address to look out for will be in the range.

  • If you don't log successful authentications but do log access to pages, then you could look at what pages are being accessed from IPs in the range. If one of those pages is only accessible to authenticated users, then this can be used to determine that the authentication was a success.

Can I see which pages your scanner visited in an authenticated web app scan?

Yes, you can! If you click on the relevant scan from the Scans page, and click the "Scanned URLs" tab, you can view a list of URLs that the Authenticated Web-App Scanner has been able to crawl.

  • If a URL is only accessible behind a login page features on this list then this would indicate that the authentication has succeeded.

  • If this list only includes non-authenticated URLs (i.e. those not behind the login page), then it might be worth checking the authentication configuration and re-running a scan.

What about authenticated API Scans?

As with web application scans, it is possible to see the list of API Endpoints that have been visited during a scan. If you click on the relevant scan from the Scans page, and click the "Scanned Authenticated URLs" tab, you can view any API Endpoints visited as part of the scan, under the APIs column. These will be sorted per schema file added - for instance, in the example below you can see the API endpoints visited for the scan using the "Api schema - demo" schema file.

It is important to note that the list of Scanned URLs here will include any of the endpoints listed in the schema. It is currently not possible to confirm if the scanner was able to authenticate to these endpoints, just that it was able to visit the endpoint.

Did this answer your question?