Support
Scans

Configuring and Verifying Form Authentication in Invicti Enterprise

This document is for:
Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

When using Invicti Enterprise to scan a web application that has a form-based login, you need to configure the credentials and verify the session. Session verification is important to confirm that the configuration is correct and to ensure that the scanner can differentiate between a logged-in and a logged-out session. This enables the scanner to identify a terminated session so that if it happens during a web vulnerability scan, the scanner can automatically log back in again, ensuring all password-protected pages are scanned.

TIP: You can integrate Invicti Enterprise with a Privileged Access Management solution so that you do not have to enter sensitive credentials to scan the web application. For more information, refer to Integrating Invicti Enterprise with HashiCorp Vault and Integrating Invicti Enterprise with CyberArk Vault.

How to verify Form Authentication

  1. Log in to Invicti Enterprise.
  2. From the main menu, select Scans > New Scan.
  3. Select a Target URL and Scan Profile.
  4. From the Options section, select Form (under Authentication).
  5. Select the Form Authentication checkbox.

  1. In the Login Form URL field, enter the URL of the login form whose credentials you want to configure, including the protocol (HTTP or HTTPS).

  1. If required, select the Override Target URL with authenticated page checkbox. This setting enables the system to use the last page from the authentication process as the start URL, instead of the Target URL.

  1. If required, select the Detect Bearer Authorization Token checkbox. If there is an AJAX request after the login is performed, Bearer Authentication Tokens will be intercepted and used during the scan.

  1. If required, click Token Matching Rules. This enables you to enter a token regular expression if Invicti Enterprise is required to get the token from a website other than the Target URL. Configure this option only if you want Invicti Enterprise to capture the token from a website and then use the same token for different websites.

  1. If required, select the Enable enhanced authentication event logging checkbox. This setting allows Invicti to collect enhanced logs for diagnostic purposes that will help troubleshoot authentication issues if they occur.

  1. In the Personas section, click New Persona. Then, enter a Username and Password for the login form.

TIP: You can specify multiple sets of credentials and select the Active option next to the credentials Invicti Enterprise should use during the upcoming scan.  

  1. If required, select the ellipsis in the OTP field to configure One-Time-Password settings. For further instructions, refer to the Configuring Form Authentication using an OTP section of this article.
  2. Select Verify Login & Logout so the scanner can test the login and determine a pattern to use to automatically detect logged-in and logged-out sessions.

NOTE: If automatic authentication does not work for your website, you can click Custom Script and enter a JavaScript script that will be used to authenticate against the web application. For more information, refer to Custom Scripts for Form Authentication.

Configuring Form Authentication using an OTP

Invicti Enterprise supports form authentication using a One-Time-Password (OTP). By providing this type of two-factor authentication via a secret key, the OTP can be filled in automatically so that Invicti can access and scan all sections of the target website.

Two OTP types are supported:

  • Time-based (TOPT)
  • HMAC-based (HOPT)

NOTE: In Form Authentication settings, every persona has its own OTP settings.
OTP settings open with default values.
In OTP Settings, if you have a link with a copied
otpauth protocol, the settings will be changed automatically based on that link.

How to configure Form Authentication using an OTP

  1. Log in to Invicti Enterprise.
  2. From the main menu, select Scans > New Scan.
  3. Select a Target URL and Scan Profile.
  4. From the Options section, select Form (under Authentication).
  5. Select the Form Authentication checkbox.
  6. In the Login Form URL field, enter the URL of the login form whose credentials you want to configure, including the protocol (HTTP or HTTPS).
  7. In the Personas section, click New Persona. Then, enter a Username and Password for the login form.
  8. In the OTP column, click on the ellipsis for the relevant persona. The OTP Settings screen opens.

  1. Select the OTP Type:
  • TOPT is a temporary passcode generated by an algorithm that uses the current time of the day as one of its authentication factors.
  • HOPT is a password algorithm that uses hash-based message authentication codes (HMAC).
  1. In the Secret Key field, enter the secret key that is used to generate the OTP and is provided by the target website.
  2. In the Digit field, select the number of digits that will be used for the length of the OTP.
  3. In the Period field, enter the time (in seconds) after which an OTP is regenerated.
  4. Select an Algorithm encryption option.
  5. Click Generate OTP. If successful, an OTP is displayed along with a message, 'OTP generated successfully.'
  6. Select OK to save this OTP for the selected persona.

What happens during verification

During the session verification process, the Verify Form Authentication window is displayed, showing the progress of the test.

During verification, the following occurs:

  1. On the left, the scanner logs in to the web application using the supplied credentials and displays a logged-in session.
  2. On the right, the scanner displays how the web application looks when not logged in. It also displays the Logout Detection pattern.

Once the test is ready, it is important that you:

  1. Confirm that both logged-in and logged-out sessions look as expected.
  2. Confirm that the logout detection pattern is correct since this will be used by the scanner to identify a terminated session and log back in to continue the scan.

For more information, refer to Logout Detection.

Invicti Help Center

Our Support team is ready to provide you with technical help.

Go to Help Center This will redirect you to the ticketing system.