Use authentication to discover and validate vulnerabilities by performing more in-depth assessment of your web applications.
Some web applications require authenticated access to the majority of their functionality. Authenticated scanning can be configured for HTML forms like login pages and server-based authentication (HTTP Basic, Digest, NTLM, or SSL client certificates). Form and server authentication may be combined. We monitor the session state to ensure an authenticated scan remains authenticated throughout the crawl.
You may want to scan the same web application multiple times with different credentials. For example, it may be necessary to distinguish scans that were executed with different credentials. To do this, you can define multiple records to address various privilege levels like "Anonymous", "User", "Admin". For example a "User" record may find 300 links and 10 vulnerabilities, whereas an "Anonymous" record may find only 100 links and no vulnerabilities.
We support both form and server authentication. These types of form authentication are supported:
- HTML form-based authentication (standard login)
- Custom form fields. If your forms include more fields (such as customer ID) other than login and password, you can use custom form fields. Learn more
- Selenium script uploaded from your file system.
These types of server authentication are supported: Basic, Digest and NTLM.
We support the use of Selenium scripts when uploaded to web application settings and authentication records. Uploaded scripts are replayed during web application scanning. For example:
- We can replay recorded steps to scan a web application that requires complex workflows, such as selecting user input combinations that require certain knowledge and/or user interaction.
- We can replay recorded steps, like clicking a series of buttons or filling out forms.
- We can replay recorded steps to complete login and authentication requirements.
Use Qualys Browser Recorder to create a Selenium scripts.
Applying tags to an authentication record makes it available to other users. Users with a tag in their scope that matches a tag applied to an authentication record will be able choose that record for web applications.
Manager users have full rights to manage authentication records. For other users their assigned roles and permissions determine whether they have WAS Authentication Record Permissions (i.e. create, update, delete). To see a user's assigned roles, go to the Administration utility (select from the application picker) and view/edit the user of interest.