How to perform Automatic Authentication with Website Scanner

The Automatic Authentication Method allows the user to make an authenticated scan by having a valid pair of credentials in the target application.

Compatibility

In order for this kind of authentication to work you need to make sure that the login form is initialized when the website is loaded. If you have any preceding loading screens before the login form is initialized then this method is not compatible with your website.

The form should be a simple one that consists ONLY of the 3 following elements:

  1. Username field 
  2. Password field
  3. Submit button / Login button.

How to set it up

You can configure it by choosing the Automatic tab, in the Website Scanner configuration window.

You will have to provide the following details:

  • The login URL of the application (for example http://bank.pentest-ground.com/private-dev/signin.php) => This is usually different from the target URL and is needed to contain the login form.
  • The correct username and password

At this point, you can test if the authentication works properly by pressing the Check Authentication button or Start the scan directly. The Check Authentication functionality does not initiate the scanning process, it only shows a screenshot from the browser whether successful or not.

Here is a sample configuration of the “Automatic” option:

                  

If the login is successful, a pop-up with the landing page of the target application will be displayed. Otherwise, you will see an error message.

                    

Troubleshooting

If you encounter any errors when clicking on check Authentication or if you notice an Authentication error message when you start the scan you should consider the following:

  • The correct login URL is provided in the Login from URL field
  • Username/Password are correct;
  • Target is alive at the moment; 
  • The path to the authentication form is valid;

Any of the following scenarios is incompatible with the Automatic authentication method and you should seek an alternative method:

1. Your website has a CAPTCHA code on the login

Cause: It is technically impossible for any tool/script to automatically login to your web application. By definition, a CAPTCHA-like system is designed to prove that a computer user is human. If the computer user is just a tool, then it cannot be able to perform the actions on the website.

 

Solution: Remove the CAPTCHA code from the login page while performing the scan or use Cookie Header authentication. Make sure you remain logged in to the target application for the whole duration of the scan.

2. The target application has a 2FA authentication method

                        

Cause: If your website uses a two-factor authentication method, such as the Microsoft Authenticator app or Google Authenticator, it adds an extra layer of security to your basic login authentication system. This is hard to handle technically by an automated scanner.

Solution: try with Cookie Header authentication methods. Make sure you remain logged in to the target application for the whole duration of the scan.

3. Your website has the email and password located on two separate pages. 

Cause: the automatic tool/script doesn’t cover this function.

Solution: try with Recorded Cookie Header authentication methods.

4. The target application has an SSO (single sign-on) method

Cause: If your website uses a single sign-on authentication method, such as Auth0, or Microsoft, as it adds an extra layer of security to your basic login authentication system. 

Solution: try with Recorded Cookie Header authentication methods.


To conclude, if your login form is not a simple form as previously described, you should try one of the other methods: