The Headers option allows the user to make an authenticated scan by having valid headers in the target application.
Compatibility
HTTP headers enable the communication between a client and the server carrying information about the client browser, the server, the accessed page, and more. Some applications use specific headers to create sessions for users (login).
As a result, the Headers Authentication Method is required for users who need to scan these types of websites/applications (authentication).
The Cookie-based Method uses cookies, which are a special type of headers, but not every application uses cookies to authenticate users. There are applications that rely on other special headers as an additional layer of security, such as token-based authentication (JSON web token)
How to set it up
In order to retrieve the headers needed, please follow the same steps described in the “How to get the Session Cookie” article.
The header format must be:
Header1: subheader1_name1=subheader1_value1;subheader1_name2=subheader1_value2;subheader1_name3=subheader1_value3;
Header2: subheader2_name1=subheader2_value1;
Header3: subheader3_name1=subheader3_value1;
etc.
The HTTP Headers can consist of one or more headers. The session cookie header can contain one or more sets of cookie name and value.
The headers should be displayed only one per line. If a header contains multiple sets of name and value, they should be separated with a semicolon (‘;’) and no white spaces between them.
! NOTE: In order for this kind of authentication to work, you’ll need to make sure to leave the logged-in session active through the duration of the scan. In other words, don’t log out of your authenticated session until it’s finished.
Troubleshooting
If you encounter any errors when you start the scan you should consider the following:
- The HTTP Header is correct;
- You have an active session;
Possible Errors
1. The headers method authentication is successful but the scan fails
Cause: If your header contains cookies or tokens that are renewed very often (for example every 5 minutes) then the scan will fail. A website scan could take several hours to complete. If those cookies or tokens will no longer be valid after 5 minutes, the scanner will process valid requests just in the first 5 minutes.
Solution: If possible, increase the lifetime of the cookies or tokens in your target web application.
2. The header size is larger than 5000 characters.
Solution: None. This is a limitation of the scanner.