TOC & Recently Viewed

Recently Viewed Topics

Web App Authentication

Selenium

  1. Navigate to Scans > New Scan > Web Application > Web App Scan or Web App Overview.
  2. Click the Credentials tab.
  3. In the Add Credentials section, click Web Application Authentication.
  4. From the Authentication Method drop-down menu, select Selenium Authentication.

  5. To use the the Selenium script section, you must first create a .side file:
    1. In Google Chrome, install the Selenium IDE extension.
    2. For the web application you want to scan, access the login page in Google Chrome.

      login form test page

    3. In the upper right corner of the browser window, click the button to launch the Selenium IDE extension.

      The Selenium IDE window appears.

    4. In the upper right corner of the Selenium IDE window, click the  button to begin the recording.
    5. On the login page, enter your credentials and submit.

      Selenium IDE captures your actions.

    6. Upon successful authentication, in the upper right corner of the Selenium IDE window, click the button to stop the recording.
    7. Click the button to save the project.
  6. Click Add file and select the .side file created in step 7.
  7. In the Page to verify active session field, type the URL that Tenable.io can continually access to ensure the authenticated session is still valid.

    Tip: Tenable recommends including "My Account" or "My Preferences" as part of the URL for the Page to verify active session field as shown in the screenshot above.

  8. In the Regex to verify active session field, type a word, phrase, or regular expression that appears on the page specified in the Page to verify active session field. This phrase only appears if the authenticated session is still valid.

Login Form

  1. Navigate to Scans > New Scan > Web Application > Web App Scan or Web App Overview.
  2. Click the Credentials tab.
  3. In the Add Credentials section, click Web Application Authentication.
  4. From the Authentication Method drop-down menu, select Login Form.

  5. In the Login Page field, type the URL of the login page for which you wish to attempt authentication.
  6. In the Credentials section, specify the form field names in the example: username and example: password fields, as well as their respective values in corresponding fields to the right.

    Tip: When performing an uncredentialed Web App Overview, plugin 98033 (Login Form Detected) may automatically detect the necessary form field names to type in the example: username and example: password fields of the credentials area.

  7. In the Regex to verify successful auth field, type a word, phrase, or regular expression that indicates the login was successful.
  8. In the Page to verify active session field, type the URL that Tenable.io can continually access to ensure the authenticated session is still valid.

    Tip: Tenable recommends including "My Account" or "My Preferences" as part of the URL for the Page to verify active session field as shown in the screenshot above.

  9. In the Regex to verify active session field, type a word, phrase, or regular expression that appears on the page specified in the Page to verify active session field. This phrase only appears if the authenticated session is still valid.

Copyright 2017 - 2018 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.