WAS Scan Web Application Authentication

In a web application scan, you can configure one of the following types of Web Application Authentication credentials:

Login Form Authentication

Option Action
Authentication Method In the drop-down box, select Login Form.
Login Page Type the URL of the login page for the web application you want to scan.
Credentials

Do the following:

  1. In the first Credentials text box, type a username that Tenable.io Web Application Scanning uses to log in to the web application.
  2. In the second Credentials text box, type the password that Tenable.io Web Application Scanning uses to log in to the web application.
  3. (Optional) Add alternate credentials by clicking the Add button.

Tip: If you perform an uncredentialed Overview scan, plugin 98033 (Login Form Detected) may automatically detect and display the required login boxes in the plugin output.

Pattern to Verify Successful Auth

Type a word, phrase, or regular expression that appears on the website only if the authentication is successful (for example, Welcome, your username!). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.

Page to Verify Active Session

Type the URL that Tenable.io Web Application Scanning can continually access to validate the authenticated session.

Pattern to Verify Active Session

Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.

Cookie Authentication

Option Action
Authentication Method In the drop-down box, select Cookie Authentication.
Session Cookies

Do the following:

  1. In the first text box, type the name of the cookie authentication credentials.
  2. In the second box, type the value of the cookie authentication credentials.
Pattern to Verify Successful Auth

Type a word, phrase, or regular expression that appears on the website only if the authentication is successful (for example, Welcome, your username!). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.

Page to Verify Active Session

Type the URL that Tenable.io Web Application Scanning can continually access to validate the authenticated session.

Pattern to Verify Active Session

Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.

Selenium Authentication

Option Action
Authentication Method Select Selenium Authentication.

Selenium Script (.side)

Do the following:

  1. In the Selenium IDE extension, record your authentication credentials in the Selenium IDE extension.

  2. Click Add File.

    The file explorer for your operating system appears.

  3. Navigate to and select your Selenium credentials .side file.

    Tenable.io Web Application Scanning imports the credentials file.

Pattern to Verify Successful Auth

Type a word, phrase, or regular expression that appears on the website only if the authentication is successful (for example, Welcome, your username!). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.

Page to Verify Active Session

Type the URL that Tenable.io Web Application Scanning can continually access to validate the authenticated session.

Pattern to Verify Active Session

Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.