Web Authentication Credentials

The following are the available Web Authentication credentials in Tenable Nessus Web App templates:

HTTP Server Authentication

In a web application scan, you can configure the following settings for HTTP server-based authentication credentials.

Option Action
Username Type the username that Tenable Nessus should use to authenticate to the HTTP-based server.
Password Type the password that Tenable Nessus should use to authenticate to the HTTP-based server.
Authentication Type

In the drop-down list, select one of the following authentication types:

  • Basic
  • NTLM
  • Kerberos
Kerberos Realm (Required when enabling the Kerberos Authentication Type) Type the realm to which Kerberos Target Authentication belongs.
Key Distribution Center (KDC) (Required when enabling the Kerberos Authentication Type) Type the host that supplies the user session tickets.

Web Application Authentication

In a web application scan, you can configure one of the following types of Web Application Authentication credentials:

Login Form Authentication

Option Action
Authentication Method In the drop-down box, select Login Form.
Login Page Type the URL of the login page for the web application you want to scan.
Login Parameters

Type the login parameters for the web application you want to scan. Enter the parameters as JSON key value pairs (for example, {"username": "example_user","password": "example_password"}).
Pattern to Verify Successful Authentication

Type a word, phrase, or regular expression that appears on the website only if the authentication is successful (for example, Welcome, your username!). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.
Page to Verify Active Session

Type the URL that Tenable Nessus can continually access to validate the authenticated session.
Pattern to Verify Active Session

Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.

Cookie Authentication

Option Action
Authentication Method In the drop-down box, select Cookie Authentication.
Cookies

Enter the cookie name and values to scans. Enter the cookie name and value pairs as a comma-separated list.
Page to Verify Active Session

Type the URL that Tenable Nessus can continually access to validate the authenticated session.
Pattern to Verify Active Session

Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.

Selenium Authentication

Option Action
Authentication Method Select Selenium Authentication.

Selenium Script (.side)

Do the following:

  1. In the Selenium IDE extension, record your authentication credentials in the Selenium IDE extension.

  2. Click Add File.

    The file manager for your operating system appears.

  3. Navigate to and select your Selenium credentials .side file.

    Tenable Nessus imports the credentials file.

Page to Verify Active Session

Type the URL that Tenable Nessus can continually access to validate the authenticated session.
Pattern to Verify Active Session

Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.