Some web applications require authenticated access to the majority of their functionality. Authenticated scanning can be configured for HTML forms like login pages and server-based authentication (HTTP Basic, Digest, NTLM, or SSL client certificates). We monitor the session state to ensure an authenticated scan remains authenticated throughout the crawl.
We also support OAuth2 for Swagger/Open API file authentication. You can either combine form and server authentication or OAuth2 and server authentication for an authenticated scan. Note that while updating an authentication record, set the form record type as NONE if you want to set an OAuth2 record instead of a form record. Set OAuth2 record grant type to NONE if you want to set a form record instead of an OAuth2 record.
You may want to scan the same web application multiple times with different credentials. For example, it may be necessary to distinguish scans that were executed with different credentials. To do this, you can define multiple records to address various privilege levels like "Anonymous", "User", "Admin". For example a "User" record may find 300 links and 10 vulnerabilities, whereas an "Anonymous" record may find only 100 links and no vulnerabilities.
These types of form authentication are supported:
- HTML form-based authentication (standard login)
- Custom form fields (Learn more)
- Selenium script uploaded from your file system
These grant types are supported:
- Authorization Code
- Client Credentials
- Resource Owner Password Credentials
These types of server authentication are supported:
Use Qualys Browser Recorder to create a Selenium script. Create Selenium scripts