Where to find the information for HTTP authentication
Naomi Purvis avatar
Written by Naomi Purvis
Updated over a week ago

Entrypoint URL

The entrypoint URL tells the scanner where it should start all of it's crawling and scanning from. Most often this will be the root of your web application. Which in our example would be . Please note, there is not a path associated with the URL just a / on the end, which you should include if you want the full application to be scanned.

There are times when you won't want to scan from the root of the application, instead you might want to scan a subset. For example, when you have multiple applications running on the same target, but which live at different paths. For our example:




In this case, you would want to add 3 separate authentications each using one of the paths in the list.

Logout URL

The easiest way to find this would be to login to the application and find the Logout button on your page (it may say Log Out or Sign Out or something similar). If you hover over the button you'll see the Logout URL in in the bottom of your page, you can also right click and 'Save link address', then paste into Intruder. If that doesn't work, please see our extended explanation.


The Realm is sent to your browser by your server when you attempt to access your application. We will walk through this example:

User-uploaded Image

Sometimes you will be able to see the Realm in the pop-up window which asks you for your username and password. Other times you will need to follow these steps:

  • Open developer tools

  • Refresh the page

  • Under the Network tab you should see a single request to your application (in our example below that is the password page which is in red on the left-hand side of the developer tools)

  • Scroll to Response Headers in the right-hand box you will see a header which starts with www-authenticate you are looking for the realm= value in this header. In our example the value is Fake Realm which we need to add to the Realm field of our authentication.

If you have access to the curl command on your system you can grab this information quickly by running the following command (substituting <ENTRYPOINT_URL> with your Entrypoint URL:

curl -s -D- <ENTRYPOINT_URL>

You should see a result like the following, where Fake Realm is the value you're looking for.

HTTP/2 401 date: Thu, 10 Mar 2022 18:21:58 GMT content-length: 0 server: gunicorn/19.9.0 www-authenticate: Basic realm="Fake Realm" access-control-allow-origin: * access-control-allow-credentials: true

Did this answer your question?