Skip to content Skip to main navigation Skip to footer

How to perform Automatic Authentication with Website Scanner

The Automatic Authentication Method allows the user to make an authenticated scan by having a valid pair of credentials in the target application.

Compatibility

In order for this kind of authentication to work you need to make sure that the login form is initialized when the website is loaded. If you have any preceding loading screens before the login form is initialized then this method is not compatible with your website.

The form should be a simple one that consists ONLY of the 3 following elements:

  1. Username field 
  2. Password field
  3. Submit button / Login button.

How to set it up

You can configure it by choosing the Automatic tab, in the Website Scanner configuration modal.

The automated method allows you to authenticate using a username and a password.

You will have to provide the following details:

  • The login URL of the application (for example http://bank.pentest-ground.com/private-dev/signin.php). This is usually different from the target URL and is needed to contain the login form.
  • The correct username and password

At this point, you can test if the authentication works properly by pressing the Check Authentication button or Start the scan directly. The Check Authentication functionality does not initiate the scanning process, it only shows a screenshot from the browser whether successful or not.

Here is a sample configuration of the “Automatic” option:

Login form completed.

If the login is successful, a pop-up with the landing page of the target application will be displayed. Otherwise, you will see an error message.

Authentication failed

Troubleshooting

If you encounter any errors when clicking on check Authentication or if you notice an Authentication error message when you start the scan you should consider the following:

  • Username/Password are correct;
  • Target is alive at the moment; 
  • The path to the authentication form is valid;

Any of the following scenarios is incompatible with the Automatic authentication method and you should seek an alternative method:

1. Your website has a CAPTCHA code on the login

Cause: It is technically impossible for any tool/script to automatically login to your web application. By definition, a CAPTCHA-like system is designed to prove that a computer user is human. If the computer user is just a tool, then it cannot be able to perform the actions on the website.

CAPTCHA code login website scanner authentication

Solution: Remove the CAPTCHA code from the login page while performing the scan or use Cookie / Header authentication. Make sure you remain logged in to the target application for the whole duration of the scan.

2. The target application has a 2FA authentication method

Cause: If your website uses a two-factor authentication method, such as the Microsoft Authenticator app or Google Authenticator, it adds an extra layer of security to your basic login authentication system. This is hard to handle technically by an automated scanner.

Solution: try with Cookie / Header authentication methods. Make sure you remain logged in to the target application for the whole duration of the scan.

3. Your website has the email and password located on two separate pages. 

Cause: the automatic tool/script doesn’t cover this function.

Solution: try with Recorded / Cookie / Header authentication methods.

Authenticated Scan - Cookies Login

To conclude, if your login form is not a simple form as previously described, you should try one of the other methods:

You can also check out our video on authentication:

Was This Article Helpful?

0

If you didn't find what you were looking for, browse the categories below or contact us now!

We'd really love to get you the answer you're looking for. If the article How to perform Automatic Authentication with Website Scanner doesn't contain the information you're seeking, please get in touch with us directly:

Contact us »