Authentication record settings

Define an authentication record for scanning web applications. You can define multiple sets of credentials.

Name

Provide a name for the authentication record. You can enter a maximum of 256 characters.

Owner

Initially, the user who creates the authentication record is the owner by default. You can edit the record after it is saved and select another user in your subscription as the owner.

Tags

Apply tags to the authentication record. Choose a tag from the menu provided. Repeat to add more tags. Users who have one or more of the applied tags in their scope will have access to this authentication record.

Form Record

Type

Select the form authentication type:

Standard Login - if you want to enter one set of credentials for standard login form authentication.

Custom - if you want to enter other fields (example: customerID) apart from standard login credentials then use custom form authentication.

Send authentication over SSL only (Standard Login and Custom only) - if you want our service to attempt authentication only when the form being authenticated to will be sent over SSL. When selected, authentication is attempted only when the form is submitted via a link that uses SSL (link URI https://...).

Selenium Script - if you want our service to attempt authentication using a Selenium IDE script. You must upload a valid Selenium script. Click Choose File to upload a script from your local file system, or drag and drop the file into the Import File window. Use Qualys Browser Recorder to create a Selenium script. To know more about Qualys Browser Recorder, refer to the online help.

Parameterization of Username and Passwords in Selenium Script - You can quickly update the username and password for a login form in the authentication record itself. We support parameters for username and password in the selenium script. Just add @@authusername@@ and @@authpassword@@ in the selenium script and then upload it in the Qualys WAS Authentication Record.

After you upload the Selenium script, select the "Add credentials to Selenium Script" check box and provide the username and password. During the scan, we will replace @@authusername@@ and @@authpassword@@ with this username and password. See "Authentication - The Basics" in the Online Help.

Standard Login

Enter the user name for authentication.

Enter the password for authentication and enter it again to confirm.

Custom

Add fields. 1) Click Add Field to add a form field with the Name and Value elements. 2) Click Add Masked Field to add a masked field with the Name and Value elements. For a masked form field, the characters you enter for Value and Confirm Value are masked.

Selenium Script

After successful upload, click View next to the script name to view the script contents. You'll notice sensitive contents are masked by default. Click Display to view the sensitive contents.

What is a valid script? Our service considers a Selenium script file as valid when: a) the file is an HTML file saved from Qualys Browser Recorder, b) the file contains at least one command, and c) the file contains an absolute path to each form requiring authentication.

How do I verify authentication was successful using the script?  We recommend that you configure an option profile with a small number of links to crawl and these QIDs 150094 and 150095 to ensure authentication is working before launching a more extensive scan. One of these information gathered QIDs appears in the scan results as long as the QID is included in the selected option profile. QID 150094 appears if authentication was successful, and QID 150095 appears if authentication failed.

Validation Regular Expression

(required) Enter a valid regular expression to be used by our service to verify authentication was successful at the end of the script. The regular expression must match a pattern on a page that is not accessible to an unauthenticated user. A good choice may be a "logout" link that is displayed only when the user has successfully authenticated. You can enter a maximum of 1024 characters.

All regular expressions are in PCRE format.

No bounding delimiters are necessary, the entire string is considered the regex. This means that syntax like /foo/ or #foo# is not required -- the / or # characters familiar in Perl or Python are needed for those languages to delimit the regex; we don't need those delimiters.

Only standard PCRE metacharacters need to be escaped:

\s -- space character

\w -- word character

\\ -- literal backslash or escaping metacharacters to match a literal character

\. -- match a dot rather than anything

\? -- match a question mark rather than interpret it as a 0 or 1 quantifier.

Admin -- match the word Admin anywhere

.* -- match anything 0 or more times

a+ -- match the letter 'a' one or more times

successful\slogin -- match "successful login" separated by a space, tab, or new line

^response$ -- match the word response, with anchors to the beginning and end of the input.

Server Records

Record Information

Send authentication over SSL only - Select if you want our service to attempt authentication only when the form being authenticated to will be sent over SSL. When selected, authentication is attempted only when the form is submitted via a link that uses SSL (link URI https://...).

This site requires a client certificate - Select this option if the web application requires a client certificate. Click Choose File to upload a certificate from your local file system, or drag and drop the file into the Import File window. Upon successful upload, click View to view the certificate contents.

Passphrase - If required, enter and confirm a passphrase for the certificate.

Credentials

Add Basic Record - Select to add a Basic record. Then enter the realm and login credentials in the fields provided. The realm is a name associated with the protected area of the web application. It corresponds to the AuthName setting in a .htaccess file for Apache servers, and to the Realm value set for IIS servers.

Add Digest Record - Select to add a Digest record. Then enter the realm and login credentials in the fields provided. The realm is a name associated with the protected area of the web application. It corresponds to the AuthName setting in a .htaccess file for Apache servers, and to the Realm value set for IIS servers.

Add NTLM Record - Select to add an NTLM record. Then enter login credentials in the fields provided.

Realm (optional) - For NTLM server authentication, enter the Windows domain name containing the credentials supplied in User Name/Password. For HTTP Basic server authentication, enter the protected realm name. You can enter a maximum of 128 characters.

Username - Enter a username for authentication. You can enter a maximum of 128 characters.

Password - Enter a password for authentication.

Comments

Enter comments to be saved with the authentication record for future reference. You can enter a maximum 2048 characters.

OAuth2 Record

Type

We support four authentication types or grant types for creating an OAuth2 record: 1) Authorization Code, 2) Implicit, 3) Client Credentials, 4) Resource Owner Password Credentials.

Selecting the "Authorization Code" or "Implicit" grant type requires you to upload a valid Selenium script. We will prompt you to upload the Selenium script when you select either grant type. Click Choose File to upload a script from your local file system, or drag and drop the file into the Import File window. Use Qualys Browser Recorder to create a Selenium script. To learn more about Qualys Browser Recorder, refer to the WAS Online Help.

We support parameters for username and password in the selenium script. You can quickly update the username and password in the authentication record itself. Just add @@authusername@@ and @@authpassword@@ in the selenium script and then upload it in the Qualys WAS Authentication Record. After uploading the Selenium script, select the "Add credentials to Selenium Script" check box and enter the username and password. During the scan, we will replace @@authusername@@ and @authpassword@@ with this username and password. See "Authentication - The Basics" in the Online Help.

Selenium Script

After successful upload, click View next to the script name to view the script contents. You'll notice sensitive contents are masked by default. Click Display to view the sensitive contents.

What is a valid script? Our service considers a Selenium script file as valid when: a) the file is an HTML file saved from Qualys Browser Recorder, b) the file contains at least one command, and c) the file contains an absolute path to each form requiring authentication.

How do I verify authentication was successful using the script?  We recommend that you configure an option profile with a small number of links to crawl and these QIDs 150094 and 150095 to ensure authentication is working before launching a more extensive scan. One of these information gathered QIDs appears in the scan results as long as the QID is included in the selected option profile. QID 150094 appears if authentication was successful, and QID 150095 appears if authentication failed.

Authorization Code Configuration

Enter the OAuth2 authentication credentials. Required fields are: Redirect URL and Access token URL

Implicit Configuration

Enter the OAuth2 Implicit configuration. Required field is Redirect URL. Scope, Client ID, Client Secret, and Access token expired message pattern are optional fields.

Client Credentials Configurations

Enter the OAuth2 Client Credentials. Required field is Access token URL. Required field is Access token URL. Scope, Client ID, and Client Secret are optional fields.

Resource Owner Password Credentials

Enter the OAuth2 Resource Owner Password Credentials. Required fields are: Access token URL, User Name, and Password. Scope, Client ID, Client Secret, and Access token expired message pattern are optional fields.

Authentication records

Select authentication records

Choose one or more authentication records from the drop-down or click Create to configure a new record. When you've chosen a record, you'll notice links that enable you to edit or view the record settings.