Web Application Authentication
Before you begin:
In a Tenable Web App Scanning scan, you can configure one of the following Authentication methods in the dropdown list in the Settings section of your
Authentication Type:
- Login Form Authentication
- Cookie Authentication
- Selenium Authentication
- API Key Authentication
- Bearer Authentication
- OAuth Authentication
For an overview of authentication in Tenable Web App Scanning, see the following video:
| Option | Action |
|---|---|
| Username | Type the username Tenable Web App Scanning uses to authenticate to the web application-based server. |
| Password | Type the password Tenable Web App Scanning uses to authenticate to the web application-based server. |
| Option | Action |
|---|---|
| Authentication Method | In the drop-down box, select Login Form. |
| Login Page | Type the URL of the login page for the web application you want to scan. |
| Credentials |
For each field in the target's login form (that is, username, password, and domain, etc.) complete a credential entry as follows:
A typical configuration example: Tip: To see a text field's name or id HTML DOM attribute, right-click on the text field and select "Inspect" in either your Firefox or Chrome browser. Tip: If you perform an uncredentialed Overview scan, plugin 98033 (Login Form Detected) may automatically detect and display the required login boxes in the plugin output. |
| Pattern to Verify Successful Authentication |
Type a word, phrase, or regular expression that appears on the website only if the authentication is successful (for example, Welcome, your username!). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern. |
| Page to Verify Active Session |
Type the URL that Tenable Web App Scanning can continually access to validate the authenticated session. |
| Pattern to Verify Active Session |
Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes are escaped and .* is not required at the beginning or end of the pattern. |
| Option | Action |
|---|---|
| Authentication Method | In the drop-down box, select Cookie Authentication. |
| Session Cookies |
Do the following:
|
| Page to Verify Active Session |
Type the URL that Tenable Web App Scanning can continually access to validate the authenticated session. |
| Pattern to Verify Active Session |
Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes are escaped and .* is not required at the beginning or end of the pattern. |
| Option | Action |
|---|---|
| Authentication Method | Select Selenium Authentication. |
|
Selenium Script (.side) |
Do the following:
|
| Page to Verify Active Session |
Type the URL that Tenable Web App Scanning can continually access to validate the authenticated session. |
| Pattern to Verify Active Session |
Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes are escaped and .* is not required at the beginning or end of the pattern. |
| Option | Action |
|---|---|
| Authentication Method | Select API Key. |
|
Headers |
Do the following:
|
| Page to Verify Active Session |
Type the URL that Tenable Web App Scanning can continually access to validate the authenticated session. |
| Pattern to Verify Active Session |
Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes are escaped and .* is not required at the beginning or end of the pattern. |
| Option | Action |
|---|---|
| Authentication Method | Select Bearer Authentication. |
|
Bearer Token |
Type the value of the bearer token. Note: Bearer Token authentication can be used when a static bearer token is used. If the token is granted as part of a different login process consider Selenium, Login Form, or OAuth credential types. |
| Page to Verify Active Session |
Type the URL that Tenable Web App Scanning can continually access to validate the authenticated session. |
| Pattern to Verify Active Session |
Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes are escaped and .* is not required at the beginning or end of the pattern. |
OAuth Authentication contains three flow type options for your application needs: Authorization Code, Client Credentials, and Device Code.
Authorization Code
Use this flow when your application requires interactive login through your OAuth provider's browser-based login page. The scanner redirects to your identity provider, you authenticate, and the provider returns an authorization code that the scanner exchanges for access tokens. If your login page requires multi-step interaction (such as MFA prompts or custom form fields), you can provide a Selenium script to automate it. If your provider supports PKCE, enable it for additional security.
| Option | Action |
|---|---|
| Client ID | The public identifier issued to your application when it was registered with your OAuth provider. Can be referred to as the scanner's "username" — it tells the provider which application is making the request. |
| Client Secret | The confidential password paired with the Client ID. Used to prove the scanner's identification when exchanging codes for tokens. |
| Authentication URL | The provider's login and authorization page where you are sent to enter credentials and approve the scanner's access. This is the page you see when logging in via that authentication provider. |
| Redirect URL | The URL the OAuth provider sends you back to after they successfully authorize the scanner. It carries the authorization code that the scanner exchanges for an access token. Must match exactly what is registered with the provider. Do not include any query parameters. |
| Username | Type the username Tenable Web App Scanning uses to authenticate to the web application-based server. |
| Password |
Type the password Tenable Web App Scanning uses to authenticate to the web application-based server. |
| Selenium Script (optional) |
Do the following:
|
| PKCE (Proof Key for Code Exchange) |
By default, disabled. An extra security layer for the Authorization Code flow. The scanner generates a one-time secret and proves possession of it during the token exchange, preventing anyone who intercepts the authorization code from using it. Enable only if enabled by the authorization provider. |
| Client Scope |
The list of permissions the scanner is requesting (for example, read, openid, profile). Scopes determine what the issued access token is allowed to do once the scanner uses it against your application. |
| Token URL |
The provider's endpoint where the scanner trades an authorization code, device code, or client credentials for an actual access token. |
| Page to Verify Active Session |
Type the URL that Tenable Web App Scanning can continually access to validate the authenticated session. |
| Pattern to Verify Active Session |
Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes are escaped and .* is not required at the beginning or end of the pattern. |
| Login Check Strategy |
How the scanner verifies it is still logged in while scanning. Choose between checking the response body for a known pattern, checking a specific header, or checking the HTTP response code. |
| Login Request Method |
The HTTP method (GET, POST, PUT, etc., or a full browser request) used when the scanner periodically checks your application to confirm the session is still valid. |
Client Credentials Code
Use this flow when your application exposes API endpoints that authenticate using a client ID and secret, with no user login involved. The scanner presents credentials directly to the OAuth token endpoint and receives an access token without browser interaction or a user session. This flow is the appropriate choice for machine-to-machine or service account scenarios with no user in the authentication path.
| Option | Action |
|---|---|
| Client ID | The public identifier issued to your application when it was registered with your OAuth provider. Can be referred to as the scanner's "username" — it tells the provider which application is making the request. |
| Client Secret | The confidential password paired with the Client ID. Used to prove the scanner's identification when exchanging codes for tokens. |
| Client Scope | The list of permissions the scanner is requesting (for example, read, openid, profile). Scopes determine what the issued access token is allowed to do once the scanner uses it against your application. |
| Token URL | The provider's endpoint where the scanner trades an authorization code, device code, or client credentials for an actual access token. |
| Page to Verify Active Session |
Type the URL that Tenable Web App Scanning can continually access to validate the authenticated session. |
| Pattern to Verify Active Session |
Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes are escaped and .* is not required at the beginning or end of the pattern. |
| Login Check Strategy | How the scanner verifies it is still logged in while scanning. Choose between checking the response body for a known pattern, checking a specific header, or checking the HTTP response code. |
| Login Request Method |
The HTTP method (GET, POST, PUT, etc., or a full browser request) used when the scanner periodically checks your application to confirm the session is still valid. |
Device Code
Use this flow when your application follows the OAuth device authorization pattern, where a device or headless client displays a code and waits for authorization on a separate device. The scanner uses a Selenium script to handle the authorization user interface. Use the $DEVICE_CODE variable in your script to pass the device code value into the appropriate form field. Choose this flow if your application's OAuth login is designed for devices that cannot open a browser.
| Option | Action |
|---|---|
| Client ID | The public identifier issued to your application when it was registered with your OAuth provider. Can be referred to as the scanner's "username" — it tells the provider which application is making the request. |
| Client Secret (Optional) | The confidential password paired with the Client ID. Used to prove the scanner's identification when exchanging codes for tokens. |
| Device Code URL | The OAuth provider's endpoint that issues a short user code for the device-code flow. |
| Username |
Type the username Tenable Web App Scanning uses to authenticate to the web application-based server. |
| Password |
Type the password Tenable Web App Scanning uses to authenticate to the web application-based server. |
| Selenium Script (optional) |
Do the following:
Note: You must substitute $DEVICE_CODE for the literal code value.
|
| Client Scope | The list of permissions the scanner is requesting (for example, read, openid, profile). Scopes determine what the issued access token is allowed to do once the scanner uses it against your application. |
| Token URL | The provider's endpoint where the scanner trades an authorization code, device code, or client credentials for an actual access token. |
| Page to Verify Active Session |
Type the URL that Tenable Web App Scanning can continually access to validate the authenticated session. |
| Pattern to Verify Active Session |
Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes are escaped and .* is not required at the beginning or end of the pattern. |
| Login Check Strategy |
How the scanner verifies it is still logged in while scanning. Choose between checking the response body for a known pattern, checking a specific header, or checking the HTTP response code. |
| Login Request Method |
The HTTP method (GET, POST, PUT, etc., or a full browser request) used when the scanner periodically checks your application to confirm the session is still valid. |

button.