Support
Scans

Authentication Profiles

This document is for:
Invicti Standard, Invicti Enterprise On-Premises, Invicti Enterprise On-Demand

You can save a custom script for form authentication in Invicti and use it many times for different websites.

Invicti automates the authentication when it matches the URL at the beginning of the crawling process.

So, you do not have to configure form authentication for websites utilizing the same authentication procedure. The authentication profile also works for Single Sign-On (SSO) providers such as Microsoft and Google.

If you configured a form authentication and saved an authentication profile at the same time, Invicti prioritizes the form authentication.

Please note that, for demonstration purposes, we will add a Microsoft SSO and scan a website requiring a Microsoft SSO.

Configuring Authentication Profile in Invicti Enterprise

How to create an authentication profile in Invicti Enterprise
  1. Log in to Invicti Enterprise.
  2. From the main menu, select Scans > Authentication Profiles.
  3. On the Authentication Profiles page, enter a login form URL and select + Add Script.
  1. Complete the remainder of the adding a custom script as described in the Custom Scripts for Form Authentication.
  2. Then, enter a Name and a Trigger URL to save the authentication profile. Select Save.

Once you save an authentication profile, you can use this profile to scan your website(s).

How to scan a website with an authentication profile
  1. From the main menu, select Scans > New Scan.
  2. In the Target URL field, enter the URL.
  3. Complete the remainder of the fields, as described in Invicti Enterprise New Scan Fields and Invicti Enterprise Scan Options Fields.
  4. From the Authentication Profiles drop-down, select one of the following options:
  • (Do Not Use)
  • (Use Matched Profile)
  • Your Custom Profile (Microsoft, in this example)
  1. Select Launch.
How to run a group scan with an authentication profile
  1. From the main menu, select Scans > New Group Scan.
  2. From the Website Group drop-down, select the website group you want to scan.
  3. Complete the remainder of the fields, as described in How to Scan a Website in Invicti Enterprise.
  4. From the Authentication Profiles drop-down, select one of the following options:
  • (Do Not Use)
  • (Use Matched Profile)
  • Your Custom Profile (Microsoft, in this example)
  1. Select Launch.
How to edit an authentication profile in Invicti Enterprise
  1. From the main menu, select Scans > Authentication Profiles.
  2. Next to the relevant profile, select Edit.
  3. Make the necessary changes in the Custom Script Editor window. Enter a new name and a trigger URL, if required.
  4. Select Save.
How to delete an authentication profile in Invicti Enterprise
  1. From the main menu, select Scans > Authentication Profiles.
  2. Next to the relevant profile, select Delete.
  3. From the Deleting Authentication Profile dialog, select Delete.

Configuring Authentication Profile in Invicti Standard

How to create an authentication profile in Invicti Standard
  1. Open Invicti Standard.
  2. From the Home tab, select Options, then Authentication Profiles.
  3. Enter a login form URL, then select + Add Script.
  4. Complete the remainder of the adding a custom script as described in the Custom Scripts for Form Authentication.
  5. In the Add As Custom Script dialog, enter a friendly name in the Script Name field.
  1. Select Save.
  2. From the Options window, select Apply, then OK.

Once you save an authentication profile, you can use this profile to scan your website(s).

How to scan a website with an authentication profile
  1. Open Invicti Standard
  2. From the Home tab, select New.
  3. In the Target Website or Web Service URL, enter the URL of the website you want to scan.
  4. From the General tab, select one of the following options in the Authentication Profiles drop-down.
  • (Do Not Use)
  • (Use Matched Profile)
  • Your Custom Profile (Microsoft, in this example)
  1. Configure the Scan Policy and Invicti Standard Scan Options Fields as required.
  2. Select Start Scan to scan a website.

Since an authentication profile is selected, there is no need to configure a Form Authentication. Invicti uses the authentication profile and can authenticate. To make sure that you can examine the Logs panel to view that Invicti authenticated itself during the scanning.

How to edit an authentication profile in Invicti Standard
  1. Open Invicti Standard
  2. From the Home tab, select Options, then Authentication Profiles.
  3. From the Custom Script tab, select ellipsis to open the Custom Script Editor.
  4. Make required changes in the Custom Script Editor window, and select OK.
  5. In the Add As Custom Script dialog, enter a new script name, if necessary.
  6. Select Save.
  7. From the Options window, select Apply, then OK.
How to delete an authentication profile in Invicti Standard
  1. Open Invicti Standard.
  2. From the Home tab, select Options, then Authentication Profiles.
  3. Next to the relevant authentication profile, select .
  4. From the Delete Authentication Profile dialog, select Yes.