Authenticated Scanning

Many web application vulnerabilities exist in authenticated areas — admin panels, user dashboards, account settings, and data management interfaces. To test these areas, the scanner needs to authenticate with your application and maintain a valid session throughout the scan.

Application Scanning supports several authentication methods to handle different login mechanisms.

Authentication Methods

Basic Access Authentication

HTTP Basic Authentication is the simplest method. The scanner sends credentials with each request using the standard HTTP Authorization header.

When to use: Staging environments protected by Basic Auth, applications that use HTTP-level authentication.

Setup:

1. Open your scan profile
2. Navigate to Authentication
3. Select Basic Access Authentication
4. Enter the username and password
5. Save the profile

The scanner includes these credentials in every request to the target application.

Recorded Login

Recorded Login captures your actual login sequence so the scanner can replay it to authenticate. This handles custom login forms, multi-step login flows, and applications with non-standard authentication mechanisms.

When to use: Applications with HTML login forms, custom SSO flows, or any login process that can be performed in a browser.

See Recorded Login for detailed setup instructions.

Recorded Crawling

Recorded Crawling goes beyond authentication by recording specific navigation paths through your application. The scanner replays these paths to reach areas that might not be discoverable through automated crawling alone.

When to use: Applications with complex navigation that the automated crawler cannot traverse, or when you need to guide the scanner to specific functionality.

Setup:

1. Open your scan profile
2. Navigate to Authentication
3. Select Recorded Crawling
4. Follow the recording flow to navigate through your application
5. The recording captures both the login sequence and your navigation path
6. Save the profile

Choosing the Right Method

For most web applications with a standard login form, Recorded Login is the recommended approach. It handles the majority of login flows while being straightforward to set up.

Session Maintenance

During a scan, the scanner monitors its authentication state. If it detects that the session has expired (for example, by being redirected to the login page), it re-authenticates using the configured method and continues scanning.

Tips for Reliable Authenticated Scanning

• Use a dedicated test account: Create a test user account specifically for scanning. This avoids conflicts with real user sessions and ensures the account is always available.
• Avoid accounts with MFA: Multi-factor authentication cannot be replayed by the scanner. Use an account that bypasses MFA or configure MFA exceptions for the scanner’s sessions.
• Exclude logout paths: Add your application’s logout URL to the scan profile’s exclusion list to prevent the scanner from logging itself out.
• Set appropriate session timeouts: If your application has very short session timeouts, the scanner may spend excessive time re-authenticating. Consider extending the timeout for the test account if possible.
• Avoid CAPTCHA on the test account: CAPTCHAs prevent automated login. Disable CAPTCHAs for the test account or create a bypass for the scanner’s IP addresses.

Verifying Authentication Works

After configuring authentication, run a test scan and check:

1. The crawl map shows pages behind the login (dashboards, settings, user-specific content)
2. Findings include vulnerabilities in authenticated areas
3. The scan log does not show repeated authentication failures

If the scanner is not reaching authenticated pages, review your authentication configuration and check the Troubleshooting guide.

Next Steps

• Recorded Login — Step-by-step Recorded Login setup
• Scan Profiles — Complete scan profile configuration
• Troubleshooting — Resolve authentication issues