When using Netsparker Cloud to scan a web application that has a form based login form, you need to configure the credentials and verify the session. Session verification is important so that you can confirm that the configuration is correct, and the scanner can differentiate between a logged in a logged out session.
Session verification allows the scanner to identify a terminated session, so if it happens during a web vulnerability scan the scanner can automatically log back in again, ensuring all password protected pages are scanned.
Configuring Form Authentication in Netsparker Cloud
To configure Form Authentication in Netsparker Cloud click the Form Authentication node in the Scan Options and then:
- Enable Form Authentication by checking the checkbox.
- Enter the URL of the login form in the Login Form URL input field.
- Enter the username and password in their respective fields, in the Personas section.
Note: You can specify different sets of credentials and tick the Default option next to the credentials Netsparker Cloud should use during the upcoming scan.
- Click Verify Login & Logout so the scanner can test the login and determine a pattern to use to automatically detect logged in and logged out sessions.
What to Look for when Verifying the Form Authentication Configuration and Session?
During the session verification process a new window will pop up, from which you can see the progress of the test, as per the below screenshot.
During the form authentication verification the following happens:
- The scanner logs in to the web application using the supplied credentials and shows a logged in session in the left window.
- In the right window the scanner shows how the web application looks when not logged.
- On the right hand side the scanner will also show the Logout Detection pattern.
Once the test is ready it is important that you:
- Confirm that both logged in and logged out sessions look as expected.
- Confirm that the logout detection pattern is correct since this will be used by the scanner to identify a terminated session and log back in to continue the scan.
How to Confirm and Configure the Logout Pattern?
Netsparker Cloud uses either Redirect or Keyword based logout detection to determine the status of a session. Below is an explanation of how both of them work and how you can configure them, should you need to.
Redirect Based logout Detection
Many websites redirect the user back to the login form or a specific URL when requesting a password protected page without a valid session. If your website does so, the scanner will detect and use a Redirect based logout.
Netsparker Cloud tests for this by sending an anonymous request to the last URL visited when simulating a successful login. If it gets a HTTP 3xx redirect response then it means that the target web application redirects non-logged in visitors and this redirect pattern can be used to detect the status of a session.
To configure or change the Redirect based logout detection specify the URL to where users are redirected to when they try to access a password protected page without a valid session. You can also use wildcards in the URL. For example if your web application adds a random ID in the URL when accessing the login page, you can use the following URL with a wildcard:
Keyword Based Logout Detection
If your website does not redirect visitors who do not have a valid session to a specific URL, you can use the keyword-based logout detection. When using this method the scanner will look for specific keywords in the HTTP responses. Below is a screenshot of the configuration of the Keyword Based logout detection:
You can specify as much keywords as you want in this list. Netsparker Cloud has to match them ALL in a HTTP response to confirm that a session has been terminated. You can also use regular expressions in the keywords. If you do, check the Is Regex? checkbox next to the keyword pattern.
Configuring Authentication for Non Supported Login Forms
If for some reason you cannot use the settings in the Scan Options to configure automated form authentication you can write a custom script and upload it to Netsparker Cloud. For more information please refer to documentation on Custom Scripts for Form Authentication in Netsparker.