Set Up HTTP Authentication

HTTP authentication is available for authentication scans using the VM and PC application.

Create HTTP authentication records for scanning protected portions of web sites and devices like printers and routers that require HTTP protocol level authentication. (Note that this is not Form-based authentication.) By authenticating we can perform additional vulnerability tests that we couldn't do otherwise.

Which technologies are supported?

For the most current list of supported authentication technologies and the versions that have been certified for VM and PC by record type, please refer to the following article: 

Authentication Technologies Matrix

How do I get started?

- Go to Scans > Authentication.

- Go to New > Applications > HTTP, and create an HTTP record.

Record settings

What login credentials are required?What login credentials are required?

When you select the Basic authentication type, tell us the username and password to use for authentication. Then, specify the protected device or web page you want to authenticate against. You can specify a virtual host (an FQDN such as bank.qualys.com) or the name of a realm (such as My Homepage) or IP/IP ranges.

Using Basic authentication for login credentials.

When you select Authentication Vault, specify the Username of a vault account,  select the Vault type as Hashicorp, and select the Vault Title. You must select Active Directory (AD) Secrets Engine while creating the HTTP authentication records.

Select Active directory Secrets Engine to create HTTP auth record.

Note: 

 

You can select the Basic Authentication or Authentication Vault to provide the login credentials.

Tell me about the Send authentication over SSL only optionTell me about the Send authentication over SSL only option

Select the “Send authentication over SSL only” option if you only want to attempt authentication over SSL. In this case authentication is attempted only when the form is submitted via a link that uses https://...

Learn more

How does it work?How does it work?

During a vulnerability scan, if we come across a web page that requires HTTP authentication then we’ll check to see if an HTTP record exists in your account with applicable credentials. If a record exists, we’ll use the credentials in the record to perform HTTP authentication.

Where can I get details about HTTP authentication?Where can I get details about HTTP authentication?

You can create vulnerability scan reports that include authentication status QIDs (Information Gathered). These QIDs report details about HTTP protocol level authentication: QID 86762 "Web Authentication Methods" and QID 105315 "Web Authentication Failed".

Where can I get the scan result for the HTTP authenticated recorded created?Where can I get the scan result for the HTTP authenticated recorded created?

Under the Appendix section, you can view the scan result for the HTTP authenticated record created.

showing successful scan result under appendix.

Why use host authentication