Web Authentication Credentials

The following are the available Web Authentication credentials in Tenable Nessus Web App templates:

Note: The following settings only apply to web application scanning in Tenable Nessus. To view settings for the Tenable Web App Scanning product, see Tenable Web App Scanning Scan Settings.

HTTP Server Authentication

In a web application scan, you can configure the following settings for HTTP server-based authentication credentials.

Option Action
Username Type the username that Tenable Nessus should use to authenticate to the HTTP-based server.
Password Type the password that Tenable Nessus should use to authenticate to the HTTP-based server.
Authentication Type

In the drop-down list, select one of the following authentication types:

  • Basic
  • NTLM
  • Kerberos
Kerberos Realm (Required when enabling the Kerberos Authentication Type) Type the realm to which Kerberos Target Authentication belongs.
Key Distribution Center (KDC) (Required when enabling the Kerberos Authentication Type) Type the host that supplies the user session tickets.

Web Application Authentication

In a web application scan, you can configure one of the following types of Web Application Authentication credentials:

Login Form Authentication

Option Action
Authentication Method In the drop-down box, select Login Form.
Login Page Type the URL of the login page for the web application you want to scan.
Login Parameters

Type the login parameters for the web application you want to scan. Enter the parameters as JSON key value pairs (for example, {"username": "example_user","password": "example_password"}).

Pattern to Verify Successful Authentication

Type a word, phrase, or regular expression that appears on the website only if the authentication is successful (for example, Welcome, your username!). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.

Page to Verify Active Session

Type the URL that Tenable Nessus can continually access to validate the authenticated session.

Pattern to Verify Active Session

Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.

Cookie Authentication

Option Action
Authentication Method In the drop-down box, select Cookie Authentication.
Cookies

Enter the cookie key and value pairs as a comma-separated list. The pairs must be unencoded and in valid JSON formatting. For example:

{"name" : "value","name2" : "value2","name3" : "value3"}

Page to Verify Active Session

Type the URL that Tenable Nessus can continually access to validate the authenticated session.

Pattern to Verify Active Session

Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.

Selenium Authentication

Option Action
Authentication Method Select Selenium Authentication.

Selenium Script (.side)

Do the following:

  1. In the Selenium IDE extension, record your authentication credentials in the Selenium IDE extension.

  2. Click Add File.

    The file manager for your operating system appears.

  3. Navigate to and select your Selenium credentials .side file.

    Tenable Nessus imports the credentials file.

Page to Verify Active Session

Type the URL that Tenable Nessus can continually access to validate the authenticated session.

Pattern to Verify Active Session

Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.