Some web applications require authenticated access to the majority of their functionality. Authenticated scanning can be configured for HTML forms like login pages and server-based authentication (HTTP Basic, Digest, NTLM, or SSL client certificates). Form and server authentication may be combined. We monitor the session state to ensure an authenticated scan remains authenticated throughout the crawl.
You may want to scan the same web application multiple times with different credentials. For example, it may be necessary to distinguish scans that were executed with different credentials. To do this, you can define multiple records to address various privilege levels like "Anonymous", "User", "Admin". For example a "User" record may find 300 links and 10 vulnerabilities, whereas an "Anonymous" record may find only 100 links and no vulnerabilities.
These types of form authentication are supported:
- HTML form-based authentication (standard login)
- Custom form fields (Learn more)
- Selenium script uploaded from your file system
These types of server authentication are supported:
Use Qualys Browser Recorder to create a Selenium script. Create Selenium scripts