Use authentication to discover and validate vulnerabilities by performing more in-depth assessment of your web applications.
Some web applications require authenticated access to the majority of their functionality. Authenticated scanning can be configured for HTML forms like login pages and server-based authentication (HTTP Basic, Digest, NTLM, or SSL client certificates). We monitor the session state to ensure an authenticated scan remains authenticated throughout the crawl.
We also support OAuth2 for Swagger/Open API file authentication. OAuth2 authentication supports these four grant types : Authorization Code, Implicit, Client Credentials, and Resource Owner Password Credentials. You can either combine form and server authentication or OAuth2 and server authentication for an authenticated scan.
You may want to scan the same web application multiple times with different credentials. For example, it may be necessary to distinguish scans that were executed with different credentials. To do this, you can define multiple records to address various privilege levels like "Anonymous", "User", "Admin". For example a "User" record may find 300 links and 10 vulnerabilities, whereas an "Anonymous" record may find only 100 links and no vulnerabilities.
We support both form/OAuth2 and server authentication. When creating an authentication record, you can specify either a form record or an OAuth2 record (used for the Swagger/Open API file authentication). Note that while updating an authentication record, set the form record type as NONE if you want to set an OAuth2 record instead of a form record. Set OAuth2 record grant type to NONE if you want to set a form record instead of an OAuth2 record.
These types of form authentication are supported:
- HTML form-based authentication (standard login)
- Custom form fields. If your forms include more fields (such as customer ID) other than login and password, you can use custom form fields. Learn more
- Selenium script uploaded from your file system.
These Grant Types are supported for OAuth2: 1) Authorization Code, 2) Implicit, 3) Client Credentials, and 4) Resource Owner Password Credentials.
These types of server authentication are supported: Basic, Digest and NTLM.
To avoid undesired effects and potential impact on data, we recommend to use the credentials with read-only access to applications.
We support the use of Selenium scripts when uploaded to web application settings and authentication records. Uploaded scripts are replayed during web application scanning. For example:
- We can replay recorded steps to scan a web application that requires complex workflows, such as selecting user input combinations that require certain knowledge and/or user interaction.
- We can replay recorded steps, like clicking a series of buttons or filling out forms.
- We can replay recorded steps to complete login and authentication requirements.
Use Qualys Browser Recorder to create a Selenium scripts.
We allow you to parameterize the username and password used in the login form so that you do not have to manually edit the script whenever the login form's username and password is changed. This simplifies managing the username and password.
Applying tags to an authentication record makes it available to other users. Users with a tag in their scope that matches a tag applied to an authentication record will be able choose that record for web applications.
Manager users have full rights to manage authentication records. For other users their assigned roles and permissions determine whether they have WAS Authentication Record Permissions (i.e. create, update, delete). To see a user's assigned roles, go to the Administration utility (select from the application picker) and view/edit the user of interest.