Can’t perform authenticated website scan

Authenticated website scanner can fail if you are not using the right method for your specific target login method.
Written by Cristin Sirbu
Updated 4 months ago

Our authentication options have specific corner cases where they are not able to perform the authentication. Because each method is best used in certain scenarios, if Website Scanner cannot authenticate in your web application with one of the available methods, one of the others will work. The following methods are available: 

Each of the above methods may fail due to the following reasons. Fortunately, most can be solved by trying one of the other methods.

The credentials are incorrect

Make sure that the user & password used are correct by first trying to manually authenticate in the application.

Your website has a CAPTCHA code on the login

Cause: It is technically impossible for any tool/script to automatically login to your web application. By definition, a CAPTCHA-like system is designed to prove that a computer user is human. If the computer user is just a tool, then it cannot be able to perform the actions on the website.

Solution: Remove the CAPTCHA code from the login page while performing the scan or use Cookie / Header authentication. Make sure you remain logged in to the target application for the whole duration of the scan.

The target application has 2FA or MFA authentication

Cause: If your website uses a two-factor authentication method, such as the Microsoft Authenticator app or Google Authenticator, it adds an extra layer of security to your basic login authentication system. This is hard to handle technically by an automated scanner.

Solution: try with Cookie / Header authentication methods. Make sure you remain logged in to the target application for the whole duration of the scan.

The username and password are located on two separate pages. 

Cause: the automatic tool/script doesn’t cover this function.

Solution: try with Recorded / Cookie / Header authentication methods.

The Cookies method authentication is successful but the scan fails

Cause: If your cookies are renewed very often (for example every 5 minutes) then the scan will fail. A website scan could take several hours to complete. If those cookies will no longer be valid after 5 minutes, the scanner will process valid requests just in the first 5 minutes.

Solution: If possible, increase the lifetime of the cookies in your target web application. Otherwise, try the Header authentication method. However, you should pay attention to the lifetime of the headers (which might include cookies and tokens).

Solution: None. This is a limitation of the scanner.

Did this answer your question?