Web Application Authentication
In a Tenable Web App Scanning scan, you can configure one of the following types of Web Application Authentication credentials:
- Login Form Authentication
- Cookie Authentication
- Selenium Authentication
- API Key Authentication
- Bearer Authentication
For an overview of authentication in Tenable Web App Scanning, see the following video:
Option | Action |
---|---|
Authentication Method | In the drop-down box, select Login Form. |
Login Page | Type the URL of the login page for the web application you want to scan. |
Credentials |
For each field in the target's login form (that is, username, password, and domain, etc.) complete a credential entry as follows:
A typical configuration example: Tip: To see a text field's name or id HTML DOM attribute, right-click on the text field and select "Inspect" in either your Firefox or Chrome browser. Tip: If you perform an uncredentialed Overview scan, plugin 98033 (Login Form Detected) may automatically detect and display the required login boxes in the plugin output. |
Pattern to Verify Successful Authentication |
Type a word, phrase, or regular expression that appears on the website only if the authentication is successful (for example, Welcome, your username!). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern. |
Page to Verify Active Session |
Type the URL that Tenable Web App Scanning can continually access to validate the authenticated session. |
Pattern to Verify Active Session |
Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern. |
Option | Action |
---|---|
Authentication Method | In the drop-down box, select Cookie Authentication. |
Session Cookies |
Do the following:
|
Page to Verify Active Session |
Type the URL that Tenable Web App Scanning can continually access to validate the authenticated session. |
Pattern to Verify Active Session |
Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern. |
Option | Action |
---|---|
Authentication Method | Select Selenium Authentication. |
Selenium Script (.side) |
Do the following:
|
Page to Verify Active Session |
Type the URL that Tenable Web App Scanning can continually access to validate the authenticated session. |
Pattern to Verify Active Session |
Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern. |
Option | Action |
---|---|
Authentication Method | Select API Key. |
Headers |
Do the following:
|
Page to Verify Active Session |
Type the URL that Tenable Web App Scanning can continually access to validate the authenticated session. |
Pattern to Verify Active Session |
Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern. |
Option | Action |
---|---|
Authentication Method | Select Bearer Authentication. |
Bearer Token |
Type the value of the bearer token. Note: Bearer Token is a part of OAuth. Tenable Web App Scanning supports OAuth in cases where it is a part of OpenIDConnect and recordable via a selenium script. Implementations of OAuth that are not a part of OpenIDConnect are supported only where the token is dynamic, or you craft a special static (non-dynamic) token for authentication purposes. |
Page to Verify Active Session |
Type the URL that Tenable Web App Scanning can continually access to validate the authenticated session. |
Pattern to Verify Active Session |
Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern. |