HTTP authentication is available for vulnerability scans using the VM application.
Create HTTP authentication records for scanning protected portions of web sites and devices like printers and routers that require HTTP protocol level authentication. (Note that this is not Form-based authentication.) By authenticating we can perform additional vulnerability tests that we couldn't do otherwise.
For the most current list of supported authentication technologies and the versions that have been certified for VM and PC by record type, please refer to the following article:
Authentication Technologies Matrix
- Go to Scans > Authentication.
- Go to New > Applications > HTTP, and create an HTTP record.
What login credentials are required?What login credentials are required?
Tell us the username and password to use for authentication. Then specify the protected device or web page you want to authenticate against. You can specify a virtual host (an FQDN such as bank.qualys.com) or the name of a realm (such as My Homepage). You cannot enter a virtual host and realm in the same record.
Select the “Send authentication over SSL only” option if you only want to attempt authentication over SSL. In this case authentication is attempted only when the form is submitted via a link that uses https://...
How does it work?How does it work?
During a vulnerability scan, if we come across a web page that requires HTTP authentication then we’ll check to see if an HTTP record exists in your account with applicable credentials. If a record exists, we’ll use the credentials in the record to perform HTTP authentication.
Where can I get details about HTTP authentication?Where can I get details about HTTP authentication?
You can create vulnerability scan reports that include authentication status QIDs (Information Gathered). These QIDs report details about HTTP protocol level authentication: QID 86762 "Web Authentication Methods" and QID 105315 "Web Authentication Failed".