SUPPORT

Contact Support

OPEN A TICKET

Configuring Form Authentication in Netsparker Standard

Netsparker Standard web application security scanner has a form authentication mechanism that makes it easy to configure scans for websites that require user authentication.

The form authentication mechanism in Netsparker Standard fills and submits login forms on your websites by means of the DOM of the login form page. This means that it does so without the need to record any login macros. It automatically detects the login form components, the username, and the password inputs. It then populates them and submits the login form. To do this, you only need to configure:

  • Login form URL
  • Credentials (username & password)

For further information, see Custom Scripts for Form Authentication in Netsparker Standard.

Form Authentication Fields

For further information on Form Authentication Fields in Netsparker Standard, see Authentication – Form.

How to Configure Automatic Form Authentication in Netsparker Standard

  1. Open Netsparker Standard.
  2. From the Home tab, click New. The Start a New Website or Web Service Scan dialog is displayed.
  3. Select the Form tab. The Form Authentication section is displayed.

  1. In the Form Authentication section, check the Enabled checkbox.
  2. In Login Form URL, enter the URL.
  3. In the Username field, enter a username.
  4. In the Password field, enter a password. Use the Show/Hide Password button () if required.

  1. If required, click the ellipsis in the OTP field (see Configuring Form Authentication using an OTP).
  2. Click Start Scan.

Configuring a Login Form URL

The login form URL that should be configured in Netsparker is the URL of the page where your login form resides. Most websites these days have URLs like http://www.example.com/Login/ for their users to authenticate. It is also common for websites to have their login form on their homepages, usually somewhere located in the header or sidebar part. If this is the case, specify your website's home page URL in Netsparker as the login form URL. Netsparker has a better chance of detecting and filling the login form on pages dedicated to the login operation, so always specify the dedicated login form URL if you have a login form both on your homepage and on a dedicated login page.

How to Configure a Login Form URL in Netsparker Standard

  1. Open Netsparker Standard.
  2. From the Home tab, click New. The Start a New Website or Web Service Scan dialog is displayed.
  3. Select the Form tab. The Form Authentication panel is displayed.
  4. Select the Enabled checkbox.
  5. In Login Form URL, enter the URL that contains your dedicated login form page.
  6. Continue from step 6 of How to Configure Automatic Form Authentication in Netsparker Standard.

Configuring Multiple Sets of Credentials and URLs

The other piece of information Netsparker requires for authenticating during a web application security scan are the credentials. You can enter more than a single set of credentials to simulate the different kinds of personas your website supports, such as one for regular users and one for admin users. This way, you will be able to easily switch between accounts and performs authenticated scans with different user accounts which have different privileges.

How to Configure Multiple Sets of Credentials and URLs in Netsparker Standard

  1. Open the Netsparker Standard.
  2. From the Home tab, click New. The Start a New Website or Web Service Scan dialog is displayed.
  3. Select the Form tab. The Form Authentication section is displayed.
  4. Enable the Enabled checkbox.
  5. In Login Form URL, enter the URL.
  6. Click in the blank space below the first persona. A new space for another persona is displayed.
  7. In the Username field, enter the username.
  8. In the Password field, enter the password. Use the Show/Hide Password button () as required.

  1. Continue to add rows and login credentials for as many other personas as you need. (Remember that only one persona can be used in single scans. Different scans should be run for each persona.)

  1. Click Start Scan.

Configuring Form Authentication Using an OTP

Netsparker Standard supports form authentication using a One-Time-Password (OTP). By providing this type of 2FA via a Secret Key, Netsparker Standard enables the OTP to be filled in automatically so that Netsparker can access and can scan all sections of the target website.

Two OTP Types are supported:

  • Time-based (TOPT)
  • HMAC-based (HOPT)

OTP Fields

This table lists and explains the fields in the OTP Settings dialog.

Button/Section/Field

Description

OTP Type

This is the type of OTP. The two types are:

  • TOPT is a temporary passcode that is generated by an algorithm that uses the current time of the day as one of its authentication factors.
  • HOPT is a password algorithm that uses hash-based message authentication codes (HMAC).

Secret Key

This is a key that is used to generate the OTP and is provided by the target website.

Digit

This is the number of digits used to generate the OTP's length.

Period (seconds)

This is the time (in seconds) after which an OTP is regenerated.

Algorithm

This is the encrypted algorithm.

Generate OTP

Click to generate a one-time-password.

Read From QR Code

Click to read from a QR (Quick Response) provided by the target website, to generate the OTP settings.

How to Configure Form Authentication Using an OTP

  1. Open Netsparker Standard.
  2. From the Home tab, click New. The Start a New Website or Web Service Scan dialog is displayed.
  3. Click the Form tab. The Form Authentication section is displayed.
  4. Check the Enabled checkbox.
  5. In the Login Form URL field, enter the URL.
  6. In the Username field, enter a username.

  1. In the Password field, enter a password. Use the Show/Hide Password button () if required.
  2. In the OTP field, click the ellipsis for the relevant persona.
In Form Authentication settings, every persona has its own OTP settings. OTP settings open with default values.

In OTP Settings, If you have a link with a copied otpauth protocol, the settings will be changed automatically based on that link.

The OTP Settings dialog is displayed.

  1. In the OTP Type field, select the OTP type.
  2. In the Secret Key field, enter the secret key.
  3. In the Digit field, select an option.
  4. In the Period field, enter an option.
  5. In the Algorithm field, select an option.
  6. Click Generate OTP. If successful, an OTP is displayed along with a message, 'OTP generated successfully.'.

  1. Click OK to save this OTP for the selected persona.

Configuring Form Authentication Using an OTP from a QR Code

If you don’t have the information you need to complete the fields in the OTP Settings dialog, Netsparker can retrieve them from a QR Code. Once the OTP settings are entered, Netsparker will attempt to log in automatically. If this type of 2FA information is requested again after the initial login, Netsparker will attempt to login automatically.

If Netsparker does not automatically find the OTP field, the OTP field can be filled in using Custom Scripts.

For further information, see Custom Scripts for Form Authentication in Netsparker Standard.

How to Configure an OTP from a QR Code

  1. Open Netsparker Standard.
  2. From the Home tab, click New. The Start a New Website or Web Service Scan dialog is displayed.

  1. Click the Form tab.
  2. Check the Enabled checkbox.

  1. In Login Form URL, enter the URL.
  2. In the Username field, enter a username.
  3. In the Password field, enter a password.
  4. In the OTP field, click the ellipsis. The OTP Settings dialog is displayed.
  5. Click Read from QR Code. The QR Code Reader dialog is displayed.

  1. Click Capture QR Code. Netsparker will capture the QR code and configure the settings in the OTP Settings dialog.

Problems with Form Authentication Login

The Netsparker Standard form authentication configuration can be configured to use the Interactive Login feature to manually login to websites even when CAPTCHA or a one-time code is required. It also supports custom scripting, so if you have a complex login mechanism (for example, if your website performs several redirects before showing the login page) you can write a script to cater for such a setup. For further information, see Interactive Logins in Netsparker Standard.

But if you notice that the scanner still cannot automatically log in and scan the password protected section on your website, open a new support ticket to tell Netsparker support what the problem is, so that we can address the issue.

In the meantime, you can use any of these workarounds to scan a password protected website until we fix the issue:

Should you encounter any issues with scanning a password that requires authentication please do not hesitate to get in touch with our Support.

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO