There are mainly two different ways how to password protect a section on a web application, or all of the web application. You can use form based authentication, which is done at web application level, or you can configure the authentication at web server level using Basic, Digest and NTLM / Kerberos authentication.
This blog post explains how you can configure the credentials in the Netsparker web application security scanner to scan a web application that is password protected with Basic, Digest or NTLM/Kerberos authentication.
Configuring the Credentials & URLs
You can configure the authentication details in Netsparker from the Authentication > Basic, NTML/Kerberos node in the Start a New Website or Web Service Scan dialogue, which is shown in the above screenshot.
When configuring the authentication details you have to specify the:
- Authentication type (Basic, NTLM, Kerberos, Digest, Negotiate)
- URL Prefix (the URL of the password protected section)
- Username & password
- Domain (this entry is optional for when the domain is required in Windows environments)
Once you configure the authentication details use the Test Credentials button to test the credentials before launching the scan.
Note: Enable the option Do not expect challenge if you want the scanner to send the authorization header for basic authentication without expecting a challenge.
Configuring Multiple Sets of Credentials and URLs
The URL prefix is used to specify the URL of the password protected area. This is particularly useful if you have multiple different password protected areas on the target web application. For example, imagine you have a website http://example.com/ and basic authentication is used to protect the pages under http://example.com/basic/ and NTLM authentication is used to protect the pages under http://example.com/ntlm/. In such case you can configure the below:
Upgrading from Older Versions of Netsparker Desktop
Support for multiple sets of credentials was introduced in Netsparker 4.9.1. If you are updating your older version of Netsparker and have configured credentials;
- All saved credentials will be migrated to Basic authentication,
- All saved credentials which have a domain configured will be migrated to NTLM authentication.