There are 2 types of password protected areas:
- HTTP Password protected areas: These are generally managed by the web server, and the user is prompted with a password dialog.
- Form-based restricted areas: This type of authentication is handled by the web application. The credentials are requested using a web form.
When scanning an HTTP password protected website, you will be automatically prompted to specify the username and password. These can be pre-defined to be used for a specific website / host, URL or even for a specific file only.
To specify HTTP authentication credentials:
- Navigate to Configuration > Application Settings > HTTP Authentication.
- Click on the ‘Add credentials’ button.
- Enter the Username and Password. In the ‘Host’ text box field specify the main website URL, e.g. testphp.vulnweb.com. In the ‘Path’ text box, specify the path where the credentials should be used, e.g. /restricted/. Do not specify a path if the credentials are used site wide.
- The HTTP Authentication configuration also includes the following options:
- Do not prompt for manual authentication – By default, when a target website requires HTTP authentication during a crawl and scan, Acunetix Web Vulnerability Scanner will ask you for the credentials. If this option is switched off, Acunetix Web Vulnerability Scanner will continue scanning the website without authenticating, therefore protected website parts will not be crawled and scanned.
- Automatically save new credentials – When this option is enabled, new credentials (and the URL) specified during a scan are automatically saved in the Acunetix Web Vulnerability Scanner HTTP Authentication settings, and will be automatically used when the same site is scanned.