Web Application Authentication

In a Tenable Web App Scanning scan, you can configure one of the following types of Web Application Authentication credentials:

For an overview of authentication in Tenable Web App Scanning, see the following video:

Tip: If the log in process causes any headers or cookies to be set, the scanner should notice this and include those in subsequent requests. If this is not happening as you expect, use selenium authentication and record the log in process into a .side file, then use that in the scan. If you are still experiencing issues, contact your Tenable representative for support.

Login Form Authentication

Option Action
Authentication Method In the drop-down box, select Login Form.
Login Page Type the URL of the login page for the web application you want to scan.
Credentials

For each field in the target's login form (that is, username, password, and domain, etc.) complete a credential entry as follows:

  1. In the left-hand text box, type the value of the login field's name or id HTML DOM attribute.
  2. In the right-hand text box in the row, type the literal value to insert in that text field at login.

A typical configuration example:

Tip: To see a text field's name or id HTML DOM attribute, right-click on the text field and select "Inspect" in either your Firefox or Chrome browser.

Tip: If you perform an uncredentialed Overview scan, plugin 98033 (Login Form Detected) may automatically detect and display the required login boxes in the plugin output.
Pattern to Verify Successful Authentication

Type a word, phrase, or regular expression that appears on the website only if the authentication is successful (for example, Welcome, your username!). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.
Page to Verify Active Session

Type the URL that Tenable Web App Scanning can continually access to validate the authenticated session.
Pattern to Verify Active Session

Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.

Cookie Authentication

Option Action
Authentication Method In the drop-down box, select Cookie Authentication.
Session Cookies

Do the following:

  1. In the first text box, type the name of the cookie authentication credentials.
  2. In the second text box, type the value of the cookie authentication credentials.
Page to Verify Active Session

Type the URL that Tenable Web App Scanning can continually access to validate the authenticated session.
Pattern to Verify Active Session

Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.

Selenium Authentication

Option Action
Authentication Method Select Selenium Authentication.

Selenium Script (.side)

Do the following:

  1. In the Selenium IDE extension, record your authentication credentials in the Selenium IDE extension.

  2. Click Add File.

    The file manager for your operating system appears.

  3. Navigate to and select your Selenium credentials .side file.

    Tenable Web App Scanning imports the credentials file.

Page to Verify Active Session

Type the URL that Tenable Web App Scanning can continually access to validate the authenticated session.
Pattern to Verify Active Session

Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.

API Key Authentication

Option Action
Authentication Method Select API Key.

Headers

Do the following:

  1. In the first text box, type the name of the HTTP header.

  2. In the second text box, type the value of the HTTP header.

  3. (Optional) Add additional headers by clicking the Add button.
Page to Verify Active Session

Type the URL that Tenable Web App Scanning can continually access to validate the authenticated session.
Pattern to Verify Active Session

Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.

Bearer Authentication

Option Action
Authentication Method Select Bearer Authentication.

Bearer Token

Type the value of the bearer token.

Note: Bearer Token is a part of OAuth. Tenable Web App Scanning supports OAuth in cases where it is a part of OpenIDConnect and recordable via a selenium script. Implementations of OAuth that are not a part of OpenIDConnect are supported only where the token is dynamic, or you craft a special static (non-dynamic) token for authentication purposes.
Page to Verify Active Session

Type the URL that Tenable Web App Scanning can continually access to validate the authenticated session.
Pattern to Verify Active Session

Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.