How to scan an HTTP password protected area

There are 2 types of password protected areas:

  • HTTP Password protected areas: These are generally managed by the web server, and the user is prompted with a password dialog.
  • Form-based restricted areas: This type of authentication is handled by the web application. The credentials are requested using a web form.

This article explains how to scan a website that includes areas that require HTTP Authentication. Form-based restricted areas require the use of the Acunetix Login Sequence Recorder.

When scanning an HTTP password protected website, you will be automatically prompted to specify the username and password. These can be pre-defined to be used for a specific website / host, URL or even for a specific file only.

To specify HTTP authentication credentials:

  1. Navigate to Configuration > Application Settings > HTTP Authentication.HTTP Authentication 
  2. Click on the ‘Add credentials’ button.
    HTTP Authentication Credentials
  3. Enter the Username and Password. In the ‘Host’ text box field specify the main website URL, e.g. In the ‘Path’ text box, specify the path where the credentials should be used, e.g. /restricted/.  Do not specify a path if the credentials are used site wide.
  4. The HTTP Authentication configuration also includes the following options:
    • Do not prompt for manual authentication – By default, when a target website requires HTTP authentication during a crawl and scan, Acunetix Web Vulnerability Scanner will ask you for the credentials. If this option is switched off, Acunetix Web Vulnerability Scanner will continue scanning the website without authenticating, therefore protected website parts will not be crawled and scanned.
    • Automatically save new credentials – When this option is enabled, new credentials (and the URL) specified during a scan are automatically saved in the Acunetix Web Vulnerability Scanner HTTP Authentication settings, and will be automatically used when the same site is scanned.
Share this post

Leave a Reply

Your email address will not be published.