Configuring and Verifying Form Authentication in Acunetix 360
When using Acunetix 360 to scan a web application that has a form based login, you'll need to configure the credentials and verify the session. Session verification is important, because you need to confirm that the configuration is correct, and that the scanner can differentiate between a logged in and a logged out session.
Session verification allows the scanner to identify a terminated session, so if it happens during a web vulnerability scan, the scanner can automatically log back in again, ensuring all password protected pages are scanned.
Form Authentication Fields
This table lists and describes the fields in the Form Authentication tab.
Select to enable Form Authentication.
Login Form URL
Enter the absolute URL of the login form, including the protocol (http or https).
Override Target URL with authenticated page
Select to enable the system to use the last page from the authentication process as the start URL, instead of the Target URL.
Detect Bearer Authentication Token
If there is an AJAX request after the login is performed, Bearer Authentication Tokens will be intercepted and used during the scan.
Select to enable the system to log in using the supplied credentials.
Enter the username for the login form.
Enter the password for the login form.
Enter the One-time Password for the login form.
You can add more than one script.
How to Verify Form Authentication
- Log in to Acunetix 360.
- From the main menu, click Scans, then New Scan (or New Group Scan). The New Scan window is displayed.
- From the Scan Options section, select Form Authentication. The Form Authentication section is displayed.
- Enable the Form Authentication checkbox.
- In the Login Form URL field, enter the URL of the login form whose credentials you want to configure.
- In the Personas section, click New Persona. A new row is displayed.
- In the Username field, enter the username.
- In the Password field, enter the password.
- In the OTP field, click the ellipses. The OTP Settings dialog is displayed.
- Complete the fields, click Generate OTP, then click OK.
You can specify multiple sets of credentials, and select the Active option next to the credentials Acunetix 360 should use during the upcoming scan.
- Click Verify Login & Logout so the scanner can test the login and determine a pattern to use to automatically detect logged in and logged out sessions.
What Happens When Verifying Form Authentication Configuration and Session
During the session verification process, the Verify Form Authentication window is displayed, showing the progress of the test.
During verification, the following happens:
- On the left, the scanner logs in to the web application using the supplied credentials and displays a logged in session.
- On the right, the scanner displays how the web application looks when not logged in. It also displays the Logout Detection pattern.
Once the test is ready, it is important that you:
- Confirm that both logged in and logged out sessions look as expected.
- Confirm that the logout detection pattern is correct, since this will be used by the scanner to identify a terminated session and log back in to continue the scan.
For further information, see Logout Detection.