Configuring Basic, NTLM & Digest Authentication in Netsparker

Category: Product Docs & FAQS - Last Updated: Mon, 28 Aug 2017 - by Robert Abela

There are mainly two different ways how to password protect a section on a web application, or all of the web application. You can use form based authentication, which is done at web application level, or you can configure the authentication at web server level using Basic, Digest and NTLM / Kerberos authentication.

This blog post explains how you can configure the credentials in the Netsparker web application security scanner to scan a web application that is password protected with Basic, Digest or NTLM/Kerberos authentication.

Configuring the Credentials & URLs

Configuring Multiple Sets of Credentials and URLs

You can configure the authentication details in Netsparker from the Authentication > Basic, NTML/Kerberos node in the Start a New Website or Web Service Scan dialogue, which is shown in the above screenshot.

When configuring the authentication details you have to specify the:

  • Authentication type (Basic, NTLM, Kerberos, Digest, Negotiate)
  • URL Prefix (the URL of the password protected section)
  • Username & password
  • Domain (this entry is optional for when the domain is required in Windows environments)

Once you configure the authentication details use the Test Credentials button to test the credentials before launching the scan.

Note: Enable the option Do not expect challenge if you want the scanner to send the authorization header for basic authentication without expecting a challenge.

Configuring Multiple Sets of Credentials and URLs

The URL prefix is used to specify the URL of the password protected area. This is particularly useful if you have multiple different password protected areas on the target web application. For example, imagine you have a website and basic authentication is used to protect the pages under and NTLM authentication is used to protect the pages under In such case you can configure the below:

Configuring Multiple Sets of Credentials and URLs

Upgrading from Older Versions of Netsparker Desktop

Support for multiple sets of credentials was introduced in Netsparker 4.9.1. If you are updating your older version of Netsparker and have configured credentials;

  1. All saved credentials will be migrated to Basic authentication,
  2. All saved credentials which have a domain configured will be migrated to NTLM authentication.

Keep up to date with web security news from Netsparker