Skip to content Skip to main navigation Skip to footer

Can’t perform authenticated website scan

Authenticated website scanner can fail due to several reasons

Fortunately, most can be solved by trying one of the other methods.

The Login authentication method with username and password has some limitations. In most cases, if Website Scanner cannot authenticate in your web application with the Username and Password method, the Cookie authentication and/or Header authentication methods will work.

1. Your website has a CAPTCHA code on the login

Cause: It is technically impossible for any tool/script to automatically login to your web application. By definition, a CAPTCHA-like system is designed to prove that a computer user is human. If the computer user is just a tool, then it cannot be able to perform the actions on the website.

CAPTCHA code login website scanner authentication

Solution: Remove the CAPTCHA code from the login page while performing the scan or use Cookie / Header authentication.

2. The target application has a 2FA authentication method

Cause: If your website uses a two-factor authentication method, such as Microsoft Authenticator app or Google Authenticator, it adds an extra layer of security to your basic login authentication system. This is hard to handle technically by an automated scanner.

Solution: try with Cookie / Header authentication methods.

3. Your website has the email and password located on two separate pages. 

Cause: our tool/script doesn’t cover this function.

Solution: try with Cookie / Header authentication methods. website scanner Cookie authentication method

4. The Cookies method authentication is successful but the scan fails

Cause: If your cookies are renewed very often (for example every 5 minutes) then the scan will fail. A website scan could take several hours to complete. If those cookies will no longer be valid after 5 minutes, the scanner will process valid requests just in the first 5 minutes.

Solution: If possible, increase the lifetime of the cookies in your target web application. Otherwise, try the Header authentication method. However, you should pay attention to the lifetime of the headers (which might include cookies and tokens).

5. The cookie size is larger than 5000 characters.

Solution: None. This is a limitation of the scanner.

More on how to perform an authenticated website scan:

Was This Article Helpful?


If you didn't find what you were looking for, browse the categories below or contact us now!

We'd really love to get you the answer you're looking for. If the article Can’t perform authenticated website scan doesn't contain the information you're seeking, please get in touch with us directly:

Contact us »