:

Web Application Authentication

In a web application scan, you can configure one of the following types of Web Application Authentication credentials:

Login Form Authentication
Cookie Authentication
Selenium Authentication
API Key Authentication
Bearer Authentication

Login Form Authentication

Option	Action
Authentication Method	In the drop-down box, select Login Form.
Login Page	Type the URL of the login page for the web application you want to scan.
Credentials	Do the following: In the first Credentials text box, type a username that Tenable.io Web Application Scanning uses to log in to the web application. In the second Credentials text box, type the password that Tenable.io Web Application Scanning uses to log in to the web application. (Optional) Add alternate credentials by clicking the button. Tip: If you perform an uncredentialed Overview scan, plugin 98033 (Login Form Detected) may automatically detect and display the required login boxes in the plugin output.
Pattern to Verify Successful Authentication	Type a word, phrase, or regular expression that appears on the website only if the authentication is successful (for example, Welcome, your username!). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.
Page to Verify Active Session	Type the URL that Tenable.io Web Application Scanning can continually access to validate the authenticated session.
Pattern to Verify Active Session	Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.

Cookie Authentication

Option	Action
Authentication Method	In the drop-down box, select Cookie Authentication.
Session Cookies	Do the following: In the first text box, type the name of the cookie authentication credentials. In the second text box, type the value of the cookie authentication credentials.
Page to Verify Active Session	Type the URL that Tenable.io Web Application Scanning can continually access to validate the authenticated session.
Pattern to Verify Active Session	Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.

Selenium Authentication

Option	Action
Authentication Method	Select Selenium Authentication.
Selenium Script (.side)	Do the following: In the Selenium IDE extension, record your authentication credentials in the Selenium IDE extension. Click Add File. The file explorer for your operating system appears. Navigate to and select your Selenium credentials .side file. Tenable.io Web Application Scanning imports the credentials file.
Page to Verify Active Session	Type the URL that Tenable.io Web Application Scanning can continually access to validate the authenticated session.
Pattern to Verify Active Session	Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.

API Key Authentication

Option	Action
Authentication Method	Select API Key.
Headers	Do the following: In the first text box, type the name of the HTTP header. In the second text box, type the value of the HTTP header. (Optional) Add additional headers by clicking the button.
Page to Verify Active Session	Type the URL that Tenable.io Web Application Scanning can continually access to validate the authenticated session.
Pattern to Verify Active Session	Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.

Bearer Authentication

Option	Action
Authentication Method	Select Bearer Authentication.
Bearer Token	Type the value of the bearer token.
Page to Verify Active Session	Type the URL that Tenable.io Web Application Scanning can continually access to validate the authenticated session.
Pattern to Verify Active Session	Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.

Copyright © 2022 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.