Skip to content Skip to main navigation Skip to footer

Can’t perform authenticated website scan

Authenticated website scanner can fail if you are not using the right method for your specific target login method.

Our authentication options have specific corner cases where they are not able to perform the authentication. Because each method is best used in certain scenarios, if Website Scanner cannot authenticate in your web application with one of the available methods, one of the others will work. The following methods are available:

  • Automatic – Username and Password
  • Recorded – Selenium
  • Session Cookies
  • Headers

Each of the above methods may fail due to the following reasons. Fortunately, most can be solved by trying one of the other methods.

1. Your website has a CAPTCHA code on the login

Cause: It is technically impossible for any tool/script to automatically login to your web application. By definition, a CAPTCHA-like system is designed to prove that a computer user is human. If the computer user is just a tool, then it cannot be able to perform the actions on the website.

CAPTCHA code login website scanner authentication

Solution: Remove the CAPTCHA code from the login page while performing the scan or use Cookie / Header authentication. Make sure you remain logged in to the target application for the whole duration of the scan.

2. The target application has a 2FA authentication method

Cause: If your website uses a two-factor authentication method, such as Microsoft Authenticator app or Google Authenticator, it adds an extra layer of security to your basic login authentication system. This is hard to handle technically by an automated scanner.

Solution: try with Cookie / Header authentication methods. Make sure you remain logged in to the target application for the whole duration of the scan.

3. Your website has the email and password located on two separate pages. 

Cause: the automatic tool/script doesn’t cover this function.

Solution: try with Recorded / Cookie / Header authentication methods.

Authenticated Scan - Cookies Login

4. The Cookies method authentication is successful but the scan fails

Cause: If your cookies are renewed very often (for example every 5 minutes) then the scan will fail. A website scan could take several hours to complete. If those cookies will no longer be valid after 5 minutes, the scanner will process valid requests just in the first 5 minutes.

Solution: If possible, increase the lifetime of the cookies in your target web application. Otherwise, try the Header authentication method. However, you should pay attention to the lifetime of the headers (which might include cookies and tokens).

Solution: None. This is a limitation of the scanner.

More on how to perform an authenticated website scan:

Was This Article Helpful?


If you didn't find what you were looking for, browse the categories below or contact us now!

We'd really love to get you the answer you're looking for. If the article Can’t perform authenticated website scan doesn't contain the information you're seeking, please get in touch with us directly:

Contact us »