Authenticated website scanner can fail if you are not using the right method for your specific target login method.
Our authentication options have specific corner cases where they are not able to perform the authentication. Because each method is best used in certain scenarios, if Website Scanner cannot authenticate in your web application with one of the available methods, one of the others will work. The following methods are available:
- Automatic – Username and Password
- Recorded – Selenium
- Session Cookies
Each of the above methods may fail due to the following reasons. Fortunately, most can be solved by trying one of the other methods.
1. Your website has a CAPTCHA code on the login
Cause: It is technically impossible for any tool/script to automatically login to your web application. By definition, a CAPTCHA-like system is designed to prove that a computer user is human. If the computer user is just a tool, then it cannot be able to perform the actions on the website.
Solution: Remove the CAPTCHA code from the login page while performing the scan or use Cookie / Header authentication. Make sure you remain logged in to the target application for the whole duration of the scan.
2. The target application has a 2FA authentication method
Cause: If your website uses a two-factor authentication method, such as Microsoft Authenticator app or Google Authenticator, it adds an extra layer of security to your basic login authentication system. This is hard to handle technically by an automated scanner.
Solution: try with Cookie / Header authentication methods. Make sure you remain logged in to the target application for the whole duration of the scan.
3. Your website has the email and password located on two separate pages.
Cause: the automatic tool/script doesn’t cover this function.
Solution: try with Recorded / Cookie / Header authentication methods.
4. The Cookies method authentication is successful but the scan fails
Cause: If your cookies are renewed very often (for example every 5 minutes) then the scan will fail. A website scan could take several hours to complete. If those cookies will no longer be valid after 5 minutes, the scanner will process valid requests just in the first 5 minutes.
Solution: If possible, increase the lifetime of the cookies in your target web application. Otherwise, try the Header authentication method. However, you should pay attention to the lifetime of the headers (which might include cookies and tokens).
5. The cookie size is larger than 5000 characters.
Solution: None. This is a limitation of the scanner.