Web Application Authentication

Before you begin:

In a Tenable Web App Scanning scan, you can configure one of the following Authentication methods in the dropdown list in the Settings section of your Add Authentication Type:

For an overview of authentication in Tenable Web App Scanning, see the following video:

Tip: If the log in process causes any headers or cookies to be set, the scanner should notice this and include those in subsequent requests. If this is not happening as you expect, use selenium authentication and record the log in process into a .side file, then use that in the scan. If you are still experiencing issues, contact your Tenable representative for support.

General

Option Action
Username Type the username Tenable Web App Scanning uses to authenticate to the web application-based server.
Password Type the password Tenable Web App Scanning uses to authenticate to the web application-based server.

Login Form Authentication

Option Action
Authentication Method In the drop-down box, select Login Form.
Login Page Type the URL of the login page for the web application you want to scan.
Credentials

For each field in the target's login form (that is, username, password, and domain, etc.) complete a credential entry as follows:

  1. In the left-hand dropdown box, select Text (default) or Password.

    Note: Password values are hidden after saving. You need to re-enter the value to make changes

  2. In the middle text box, type the value of the login field's name or id HTML DOM attribute.
  3. In the right-hand text box in the row, type the literal value to insert in that text field at login.

A typical configuration example:

Tip: To see a text field's name or id HTML DOM attribute, right-click on the text field and select "Inspect" in either your Firefox or Chrome browser.

Tip: If you perform an uncredentialed Overview scan, plugin 98033 (Login Form Detected) may automatically detect and display the required login boxes in the plugin output.

Pattern to Verify Successful Authentication

Type a word, phrase, or regular expression that appears on the website only if the authentication is successful (for example, Welcome, your username!). Note that leading slashes will be escaped and .* is not required at the beginning or end of the pattern.

Page to Verify Active Session

Type the URL that Tenable Web App Scanning can continually access to validate the authenticated session.

Pattern to Verify Active Session

Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes are escaped and .* is not required at the beginning or end of the pattern.

Cookie Authentication

Option Action
Authentication Method In the drop-down box, select Cookie Authentication.
Session Cookies

Do the following:

  1. In the first text box, type the name of the cookie authentication credentials.
  2. In the second text box, type the value of the cookie authentication credentials.
Page to Verify Active Session

Type the URL that Tenable Web App Scanning can continually access to validate the authenticated session.

Pattern to Verify Active Session

Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes are escaped and .* is not required at the beginning or end of the pattern.

Selenium Authentication

Option Action
Authentication Method Select Selenium Authentication.

Selenium Script (.side)

Do the following:

  1. In the Selenium IDE extension, record your authentication credentials in the Selenium IDE extension.

    Note: The Tenable-provided Selenium extension is no longer supported. The Edge and Firefox extensions provided by Selenium directly are supported. Selenium-provided packages running outside of browsers are also supported.
  2. Click Add File.

    The file manager for your operating system appears.

  3. Navigate to and select your Selenium credentials .side file.

    Tenable Web App Scanning imports the credentials file.

Page to Verify Active Session

Type the URL that Tenable Web App Scanning can continually access to validate the authenticated session.

Pattern to Verify Active Session

Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes are escaped and .* is not required at the beginning or end of the pattern.

API Key Authentication

Option Action
Authentication Method Select API Key.

Headers

Do the following:

  1. In the first text box, type the name of the HTTP header.

  2. In the second text box, type the value of the HTTP header.

  3. (Optional) Add additional headers by clicking the Add button.

Page to Verify Active Session

Type the URL that Tenable Web App Scanning can continually access to validate the authenticated session.

Pattern to Verify Active Session

Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes are escaped and .* is not required at the beginning or end of the pattern.

Bearer Authentication

Option Action
Authentication Method Select Bearer Authentication.

Bearer Token

Type the value of the bearer token.

Note: Bearer Token authentication can be used when a static bearer token is used. If the token is granted as part of a different login process consider Selenium, Login Form, or OAuth credential types.

Page to Verify Active Session

Type the URL that Tenable Web App Scanning can continually access to validate the authenticated session.

Pattern to Verify Active Session

Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes are escaped and .* is not required at the beginning or end of the pattern.

OAuth Authentication

OAuth Authentication contains three flow type options for your application needs: Authorization Code, Client Credentials, and Device Code.

Authorization Code

Use this flow when your application requires interactive login through your OAuth provider's browser-based login page. The scanner redirects to your identity provider, you authenticate, and the provider returns an authorization code that the scanner exchanges for access tokens. If your login page requires multi-step interaction (such as MFA prompts or custom form fields), you can provide a Selenium script to automate it. If your provider supports PKCE, enable it for additional security.

Option Action
Client ID The public identifier issued to your application when it was registered with your OAuth provider. Can be referred to as the scanner's "username" — it tells the provider which application is making the request.
Client Secret The confidential password paired with the Client ID. Used to prove the scanner's identification when exchanging codes for tokens.
Authentication URL The provider's login and authorization page where you are sent to enter credentials and approve the scanner's access. This is the page you see when logging in via that authentication provider.
Redirect URL The URL the OAuth provider sends you back to after they successfully authorize the scanner. It carries the authorization code that the scanner exchanges for an access token. Must match exactly what is registered with the provider. Do not include any query parameters.
Username Type the username Tenable Web App Scanning uses to authenticate to the web application-based server.
Password

Type the password Tenable Web App Scanning uses to authenticate to the web application-based server.

Selenium Script (optional)

Do the following:

  1. In the Selenium IDE extension, record your authentication credentials in the Selenium IDE extension.

    Note: The Tenable-provided Selenium extension is no longer supported. The Edge and Firefox extensions provided by Selenium directly are supported. Selenium-provided packages running outside of browsers are also supported.
  2. Click Add File.

    The file manager for your operating system appears.

  3. Navigate to and select your Selenium credentials .side file.

    Tenable Web App Scanning imports the credentials file.

PKCE (Proof Key for Code Exchange)

By default, disabled. An extra security layer for the Authorization Code flow. The scanner generates a one-time secret and proves possession of it during the token exchange, preventing anyone who intercepts the authorization code from using it. Enable only if enabled by the authorization provider.

Client Scope

The list of permissions the scanner is requesting (for example, read, openid, profile). Scopes determine what the issued access token is allowed to do once the scanner uses it against your application.

Token URL

The provider's endpoint where the scanner trades an authorization code, device code, or client credentials for an actual access token.

Page to Verify Active Session

Type the URL that Tenable Web App Scanning can continually access to validate the authenticated session.

Pattern to Verify Active Session

Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes are escaped and .* is not required at the beginning or end of the pattern.

Login Check Strategy

How the scanner verifies it is still logged in while scanning. Choose between checking the response body for a known pattern, checking a specific header, or checking the HTTP response code.

Login Request Method

The HTTP method (GET, POST, PUT, etc., or a full browser request) used when the scanner periodically checks your application to confirm the session is still valid.

Client Credentials Code

Use this flow when your application exposes API endpoints that authenticate using a client ID and secret, with no user login involved. The scanner presents credentials directly to the OAuth token endpoint and receives an access token without browser interaction or a user session. This flow is the appropriate choice for machine-to-machine or service account scenarios with no user in the authentication path.

Option Action
Client ID The public identifier issued to your application when it was registered with your OAuth provider. Can be referred to as the scanner's "username" — it tells the provider which application is making the request.
Client Secret The confidential password paired with the Client ID. Used to prove the scanner's identification when exchanging codes for tokens.
Client Scope The list of permissions the scanner is requesting (for example, read, openid, profile). Scopes determine what the issued access token is allowed to do once the scanner uses it against your application.
Token URL The provider's endpoint where the scanner trades an authorization code, device code, or client credentials for an actual access token.
Page to Verify Active Session

Type the URL that Tenable Web App Scanning can continually access to validate the authenticated session.

Pattern to Verify Active Session

Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes are escaped and .* is not required at the beginning or end of the pattern.

Login Check Strategy How the scanner verifies it is still logged in while scanning. Choose between checking the response body for a known pattern, checking a specific header, or checking the HTTP response code.
Login Request Method

The HTTP method (GET, POST, PUT, etc., or a full browser request) used when the scanner periodically checks your application to confirm the session is still valid.

Device Code

Use this flow when your application follows the OAuth device authorization pattern, where a device or headless client displays a code and waits for authorization on a separate device. The scanner uses a Selenium script to handle the authorization user interface. Use the $DEVICE_CODE variable in your script to pass the device code value into the appropriate form field. Choose this flow if your application's OAuth login is designed for devices that cannot open a browser.

Option Action
Client ID The public identifier issued to your application when it was registered with your OAuth provider. Can be referred to as the scanner's "username" — it tells the provider which application is making the request.
Client Secret (Optional) The confidential password paired with the Client ID. Used to prove the scanner's identification when exchanging codes for tokens.
Device Code URL The OAuth provider's endpoint that issues a short user code for the device-code flow.
Username

Type the username Tenable Web App Scanning uses to authenticate to the web application-based server.

Password

Type the password Tenable Web App Scanning uses to authenticate to the web application-based server.

Selenium Script (optional)

Do the following:

  1. In the Selenium IDE extension, record your authentication credentials in the Selenium IDE extension.

    Note: The Tenable-provided Selenium extension is no longer supported. The Edge and Firefox extensions provided by Selenium directly are supported. Selenium-provided packages running outside of browsers are also supported.
  2. Click Add File.

    The file manager for your operating system appears.

  3. Navigate to and select your Selenium credentials .side file.

    Tenable Web App Scanning imports the credentials file.

Note: You must substitute $DEVICE_CODE for the literal code value.
Client Scope The list of permissions the scanner is requesting (for example, read, openid, profile). Scopes determine what the issued access token is allowed to do once the scanner uses it against your application.
Token URL The provider's endpoint where the scanner trades an authorization code, device code, or client credentials for an actual access token.
Page to Verify Active Session

Type the URL that Tenable Web App Scanning can continually access to validate the authenticated session.

Pattern to Verify Active Session

Type a word, phrase, or regular expression that appears on the website only if the session is still active (for example, Hello, your username.). Note that leading slashes are escaped and .* is not required at the beginning or end of the pattern.

Login Check Strategy

How the scanner verifies it is still logged in while scanning. Choose between checking the response body for a known pattern, checking a specific header, or checking the HTTP response code.

Login Request Method

The HTTP method (GET, POST, PUT, etc., or a full browser request) used when the scanner periodically checks your application to confirm the session is still valid.