Support
Scans

Configuring and Verifying Form Authentication in Invicti Enterprise

This document is for:
Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

When using Invicti Enterprise to scan a web application that has a form-based login, you need to configure the credentials and verify the session. Session verification is important to confirm that the configuration is correct and to ensure that the scanner can differentiate between a logged-in and a logged-out session. This enables the scanner to identify a terminated session so that if it happens during a web vulnerability scan, the scanner can automatically log back in again, ensuring all password-protected pages are scanned.

This document explains how to:

TIP: You can integrate Invicti Enterprise with a Privileged Access Management solution so that you do not have to enter sensitive credentials to scan the web application. For more information, refer to Integrating Invicti Enterprise with HashiCorp Vault and Integrating Invicti Enterprise with CyberArk Vault.

How to configure form authentication

  1. Select Scans > New Scan from the left-side menu.
  2. Confirm the Target URL and Scan Profile.
  3. In the Scan Settings options, select Form (under Authentication).
  4. Click the checkbox to enable Form Authentication.
  5. Enter the Login Form URL. This is the URL (including the protocol HTTP or HTTPS) of the login form that the scanner will access.

  1. If required, select the Override Target URL With Authenticated Page checkbox. This setting enables the system to use the last page from the authentication process as the start URL, instead of the Target URL.
  2. If required, select the Detect Bearer Authorization Token checkbox. If there is an AJAX request after the login is performed, Bearer Authentication Tokens will be intercepted and used during the scan.
  3. If required, click Token Matching Rules. This enables you to enter a token regular expression if Invicti Enterprise is required to get the token from a website other than the Target URL. Configure this option only if you want Invicti Enterprise to capture the token from a website and then use the same token for different websites.
  4. If required, select the Enable enhanced authentication event logging checkbox. This setting allows Invicti to collect enhanced logs for diagnostic purposes that will help troubleshoot authentication issues if they occur.
  5. In the Personas section, click + New Persona. Then, enter the Username and Password for the login form that the scanner will use.

TIP: You can specify multiple sets of credentials and select the Active option next to the credentials Invicti Enterprise should use during the upcoming scan.  

  1. If required, select the ellipsis (...) in the OTP field to configure One-Time-Password settings. For further instructions, refer to Configuring Form Authentication with OTP.

How to verify form authentication configuration

  1. Select Verify Login & Logout so the scanner can test the login and determine a pattern to use to automatically detect logged-in and logged-out sessions.

NOTE: If automatic authentication does not work for your website, you can click Custom Script and enter a JavaScript script that will be used to authenticate against the web application. For more information, refer to Custom Scripts for Form Authentication.

  1. The Verify Form Authentication window is displayed, showing the progress of the test.

  1. During verification, the following occurs:
  • On the left, the scanner logs in to the web application using the supplied credentials and displays a logged-in session.
  • On the right, the scanner displays how the web application looks when not logged in. It also displays the Logout Detection pattern.
  1. Once the test is ready, it is important that you:
  • Confirm that both logged-in and logged-out sessions look as expected.
  • Confirm that the logout detection pattern is correct since this will be used by the scanner to identify a terminated session and log back in to continue the scan.

For more information, refer to Logout Detection.