Web Authentication Credentials

The following are the available Web Authentication credentials in Tenable Nessus Web App templates:

Note: The following settings only apply to web application scanning in Tenable Nessus. To view settings for the Tenable Web App Scanning product, see Tenable Web App Scanning Scan Settings.

HTTP Server Authentication

In a web application scan, you can configure the following settings for HTTP server-based authentication credentials.

Option	Action
Username	Type the username that Tenable Nessus should use to authenticate to the HTTP-based server.
Password	Type the password that Tenable Nessus should use to authenticate to the HTTP-based server.
Authentication Type	In the drop-down list, select one of the following authentication types: Basic NTLM Kerberos
Kerberos Realm	(Required when enabling the Kerberos Authentication Type) Type the realm to which Kerberos Target Authentication belongs.
Key Distribution Center (KDC)	(Required when enabling the Kerberos Authentication Type) Type the host that supplies the user session tickets.

Web Application Authentication

In a web application scan, you can configure one of the following types of Web Application Authentication credentials:

Login Form Authentication
Cookie Authentication
Selenium Authentication

Login Form Authentication

Option	Action
Authentication Method	In the drop-down box, select Login Form.
Login Page	Type the URL of the login page for the web application you want to scan.
Login Parameters	Type the login parameters for the web application you want to scan. Enter the parameters as JSON key value pairs (for example, {"username": "example_user","password": "example_password"}).
Pattern to Verify Successful Authentication	Type a word, phrase, or regular expression that appears on the website only if the authentication is successful (for example, Welcome, your username!). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.
Page to Verify Active Session	Type the URL that Tenable Nessus can continually access to validate the authenticated session.
Pattern to Verify Active Session	Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.

Cookie Authentication

Option	Action
Authentication Method	In the drop-down box, select Cookie Authentication.
Cookies	Enter the cookie key and value pairs as a comma-separated list. The pairs must be unencoded and in valid JSON formatting. For example: {"name" : "value","name2" : "value2","name3" : "value3"}
Page to Verify Active Session	Type the URL that Tenable Nessus can continually access to validate the authenticated session.
Pattern to Verify Active Session	Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.

Selenium Authentication

Option	Action
Authentication Method	Select Selenium Authentication.
Selenium Script (.side)	Do the following: In the Selenium IDE extension, record your authentication credentials in the Selenium IDE extension. Click Add File. The file manager for your operating system appears. Navigate to and select your Selenium credentials .side file. Tenable Nessus imports the credentials file.
Page to Verify Active Session	Type the URL that Tenable Nessus can continually access to validate the authenticated session.
Pattern to Verify Active Session	Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.