Application Security Platform
Overview

Scan authenticated targets

This document is for:
Invicti Platform

Most web applications and websites require some form of authentication – either as a whole or in an area. While some scanners can detect standard authentication forms and mechanisms, in the case of many custom web applications, you need a mechanism to repeat the steps that a human would take.

Invicti Platform provides several options for scanning authenticated targets, including an automated mechanism that detects and handles standard login forms with the login data that you supply. In the case of more complex web applications, you can launch the Invicti Platform Login Sequence Recorder (LSR) and record a login sequence (*.lsr file) that is uploaded and saved with your target settings. If your web asset uses One-Time Passwords (OTP), these can be included in the automated login mechanism and recorded login sequence. Invicti also supports scanning web assets with OAuth 2.0 authentication flows.

This document outlines the main configuration steps required for Invicti Platform to scan an authenticated target. For full instructions, refer to the documents listed below.

Steps to scan an authenticated target

  1. Create a target. For detailed instructions, refer to Add a new target.
  2. Open the target in edit mode, and click Authentication.
  3. Specify the Authentication method. You can choose from the following:
  1. Simple form
  2. Oauth2
  3. Login sequence recorder

  1. Fill in the required fields for your chosen authentication mechanism or record a login sequence. Ensure you also set up OTP with the automated login mechanism and recorded login sequence if required. For detailed instructions, refer to the relevant documentation:

  1. Click Save target configuration to confirm. The target has been updated, and the preferred authenticated method will be used next time you run a scan.
  2. Click Scan and select Run scan with default or Run custom scan.

  1. Invicti will now queue the scan and initiate scanning according to the schedule you specified in the scan options.

Scan results

The Scan Details page will display the progress and results of the scan. You can check the Site Structure tab on the Scan Details page to confirm that the authenticated areas of your target were scanned.

For more information, refer to Review scan results.


Share This Article