Scanning authenticated web assets

Most web applications and websites require some form of authentication – either as a whole or in an area. While some scanners can detect standard authentication forms and mechanisms, in the case of many custom web applications, you need a mechanism to repeat the steps that a human would take.

Acunetix provides several options for scanning authenticated web assets, including an automated mechanism that detects and handles standard login forms with the login data that you supply. In the case of more complex web applications, you can launch the Acunetix Login Sequence Recorder (LSR) and record a login sequence (*.lsr file) that is uploaded and saved with your target settings. If your web asset uses Time-based One-Time Passwords (TOTP), these can be included in the automated login mechanism and recorded login sequence. Acunetix also supports scanning web assets with OAuth 2.0 authentication flows.

This document outlines the main configuration steps required for Acunetix to scan an authenticated web asset.

How to scan an authenticated web asset

1. Create a target. For detailed instructions, refer to Adding targets.
2. Enable the Site Login section of the target's settings and select an authentication mechanism. The available options are:

• Try to auto-login into the site
• Use pre-recorded login sequence
• Use OAuth for this site

3. Fill in the required fields for your chosen authentication mechanism or record a login sequence. Ensure you also set up OTP with the automated login mechanism and recorded login sequence if required. For detailed instructions, refer to the relevant documentation:

• Configuring auto-login
• Recording a login sequence
• Configuring form authentication with OTP
• Configuring OAuth 2.0 authentication

4. Click Save in the top-right corner of the Target Settings page.
5. Click Scan.

6. Choose your scanning options and select the checkbox to confirm you are authorized to scan the target.
7. Click Create Scan.

Acunetix will now queue the scan and initiate scanning according to the schedule you specified in the scan options.

Scan results

The Scan Details page will display the progress and results of the scan. You can check the Site Structure tab on the Scan Details page to confirm that the authenticated areas of your target were scanned.

For more information, refer to Reviewing scan results.