Web Authentication Credentials

Required Additional License: Tenable Web App Scanning

Required Tenable Nessus Version: 10.6.1 or later

Configure the following options for Web Authentication credentials, including options specific for your authentication method: Client Certificate Authentication Options, HTTP Server Authentication Options, and Web Application Authentication Options.

For information about web app scans, see Web App Scans.

General Options	Description
Name	(Required) A name for the credential.
Description	A description for the credential.
Tag	A tag for the credential. For more information, see Tags.

Client Certificate Authentication Options

The following table describes the additional options to configure when using Client Certificate Authentication as the authentication method for Web Authentication credentials.

Option	Description
Client Certificate	The file that contains the PEM-formatted certificate used to communicate with the host.
Client Certificate Private Key	The file that contains the PEM-formatted private key for the client certificate.
Client Certificate Private Key Passphrase	The passphrase for the private key, if required.
Page to Verify Successful Authentication	The URL that Tenable Security Center can access to validate the authenticated session.
Pattern to Verify Successful Authentication	A word, phrase, or regular expression that appears on the website only if the authentication is successful (for example, Welcome, your username!). Leading slashes are escaped and .* is not required at the beginning or end of the pattern.

HTTP Server Authentication Options

The following table describes the additional options to configure when using HTTP Server Authentication as the authentication method for Web Authentication credentials.

Option	Description
Username	(Required) The username that Tenable Security Center uses to authenticate to the HTTP server.
Password	(Required) The password that Tenable Security Center uses to authenticate to the HTTP server.
Authentication Type	The method used to authenticate to the HTTP server: Basic/Digest NTLM Kerberos
Kerberos Realm	(Required when enabling the Kerberos Authentication Type) The realm to which Kerberos Target Authentication belongs, if applicable.
Key Distribution Center (KDC)	(Required when enabling the Kerberos Authentication Type) The host that supplies the session tickets for the user.

Web Application Authentication Options

The following table describes the additional options to configure when using Web Application Authentication as the authentication method for Web Authentication credentials.

Option	Description
Authentication Method	The method used to authenticate to the HTTP server: Login Form Cookie Authentication API Key Selenium Authentication Bearer Authentication
Login Form
Login Page	The URL of the login page for the web application you want to scan.
Login Parameters	For each field in the target's login form (for example, username, password, domain, etc.) enter one login parameter in each row: In the left box, type the login field's name or id HTML DOM attribute. In the right box, type the value to insert in that text field at login. (Optional) Click Add to add additional login parameters.
Pattern to Verify Successful Auth	A word, phrase, or regular expression that appears on the website only if the authentication is successful (for example, Welcome, your username). Note that leading slashes are escaped and .* is not required at the beginning or end of the pattern.
Page to Verify Active Session	The URL that Tenable Security Center can continually access to validate the authenticated session.
Pattern to Verify Active Session	A word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username). Note that leading slashes are escaped and .* is not required at the beginning or end of the pattern.
Cookie Authentication
Cookies	Enter one cookie authentication credential in each row: In the left box, type the name of the cookie authentication credential. In the right box, type the value of the cookie authentication credential. (Optional) Click Add to add additional cookie authentication credentials.
Page to Verify Active Session	The URL that Tenable Security Center can continually access to validate the authenticated session.
Pattern to Verify Active Session	A word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username). Note that leading slashes are escaped and .* is not required at the beginning or end of the pattern.
API Key
Headers	Enter one HTTP header in each row: In the left box, type the name of the HTTP header. In the right box, type the value of the HTTP header. (Optional) Click Add to add additional headers.
Page to Verify Active Session	The URL that Tenable Security Center can continually access to validate the authenticated session.
Pattern to Verify Active Session	A word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username). Note that leading slashes are escaped and .* is not required at the beginning or end of the pattern.
Selenium Authentication
Selenium Script (.side)	Use the following steps to add a .side file: In the Selenium IDE extension, record your authentication credentials. Click Add File. The file manager for your operating system appears. Navigate to and select your Selenium credentials .side file. Tenable Security Center imports the credentials file.
Page to Verify Active Session	The URL that Tenable Security Center can continually access to validate the authenticated session.
Pattern to Verify Active Session	A word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username). Note that leading slashes are escaped and .* is not required at the beginning or end of the pattern.
Bearer Authentication
Bearer Token	The value of the bearer token.
Page to Verify Active Session	The URL that Tenable Security Center can continually access to validate the authenticated session.
Pattern to Verify Active Session	A word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username). Note that leading slashes are escaped and .* is not required at the beginning or end of the pattern.