Configuring scan authentication on target Web applications

Scanning Web applications at a granular level of detail is especially important, since publicly accessible Internet hosts are attractive targets for attack. By giving the scan inside access with authentication, you can inspect Web assets for critical vulnerabilities such as SQL injection and cross-site scripting.

Two authentication methods are available for Web applications:

In some cases, it may not be possible to use a form. For example, a form may use a CAPTCHA test or a similar challenge that is designed to prevent logons by computer programs. Or, a form may use JavaScript, which is not supported for security reasons. If these circumstances apply to your Web application, you may be able to authenticate the application with the following method.

The authentication method you use depends on the Web server and authentication application you are using. It may involve some trial and error to determine which method works better. It is advisable to consult the developer of the Web site before using this feature.

Note:  For HTTP servers that challenge users with Basic authentication or Integrated Windows authentication (NTLM), configure a set of scan credentials using the service called Web Site HTTP Authentication. To use this service, select Add Credentials and then Accountin the Authentication tab of the site configuration. See Configuring site-specific scan credentials.

.