Define an authentication record for scanning web applications. You can define multiple sets of credentials.
Provide a name for the authentication record. You can enter a maximum of 256 characters.
Initially, the user who creates the authentication record is the owner by default. You can edit the record after it is saved and select another user in your subscription as the owner.
Select the form authentication type:
Standard Login - if you want to enter one set of credentials for standard login form authentication.
Custom - if you want to enter other fields (example: customerID) apart from standard login credentials then use custom form authentication.
Send authentication over SSL only (Standard Login and Custom only) - if you want our service to attempt authentication only when the form being authenticated to will be sent over SSL. When selected, authentication is attempted only when the form is submitted via a link that uses SSL (link URI https://...).
Selenium Script - if you want our service to attempt authentication using a Selenium IDE script. You must upload a valid Selenium script. Click Choose File to upload a script from your local file system, or drag and drop the file into the Import File window. Use Qualys Browser Recorder to create a Selenium script. To know more about Qualys Browser Recorder, refer to the online help.
Parameterization of Username and Passwords in Selenium Script - You can quickly update the username and password for a login form in the authentication record itself. We support parameters for username and password in the selenium script. Just add @@authusername@@ and @@authpassword@@ in the selenium script and then upload it in the Qualys WAS Authentication Record.
After you upload the Selenium script, select the "Add credentials to Selenium Script" check box and provide the username and password. During the scan, we will replace @@authusername@@ and @@authpassword@@ with this username and password. See "Authentication - The Basics" in the Online Help.
Enter the user name for authentication.
Enter the password for authentication and enter it again to confirm.
Add fields. 1) Click Add Field to add a form field with the Name and Value elements. 2) Click Add Masked Field to add a masked field with the Name and Value elements. For a masked form field, the characters you enter for Value and Confirm Value are masked.
After successful upload, click View next to the script name to view the script contents. You'll notice sensitive contents are masked by default. Click Display to view the sensitive contents.
What is a valid script? Our service considers a Selenium script file as valid when: a) the file is an HTML file saved from Qualys Browser Recorder, b) the file contains at least one command, and c) the file contains an absolute path to each form requiring authentication.
How do I verify authentication was successful using the script? We recommend that you configure an option profile with a small number of links to crawl and these QIDs 150094 and 150095 to ensure authentication is working before launching a more extensive scan. One of these information gathered QIDs appears in the scan results as long as the QID is included in the selected option profile. QID 150094 appears if authentication was successful, and QID 150095 appears if authentication failed.
(required) Enter a valid regular expression to be used by our service to verify authentication was successful at the end of the script. The regular expression must match a pattern on a page that is not accessible to an unauthenticated user. A good choice may be a "logout" link that is displayed only when the user has successfully authenticated. You can enter a maximum of 1024 characters.
All regular expressions are in PCRE format.
No bounding delimiters are necessary, the entire string is considered the regex. This means that syntax like /foo/ or #foo# is not required -- the / or # characters familiar in Perl or Python are needed for those languages to delimit the regex; we don't need those delimiters.
Only standard PCRE metacharacters need to be escaped:
\s -- space character
\w -- word character
\\ -- literal backslash or escaping metacharacters to match a literal character
\. -- match a dot rather than anything
\? -- match a question mark rather than interpret it as a 0 or 1 quantifier.
Admin -- match the word Admin anywhere
.* -- match anything 0 or more times
a+ -- match the letter 'a' one or more times
successful\slogin -- match "successful login" separated by a space, tab, or new line
^response$ -- match the word response, with anchors to the beginning and end of the input.
Send authentication over SSL only - Select if you want our service to attempt authentication only when the form being authenticated to will be sent over SSL. When selected, authentication is attempted only when the form is submitted via a link that uses SSL (link URI https://...).
This site requires a client certificate - Select this option if the web application requires a client certificate. Click Choose File to upload a certificate from your local file system, or drag and drop the file into the Import File window. Upon successful upload, click View to view the certificate contents.
Passphrase - If required, enter and confirm a passphrase for the certificate.
Add Basic Record - Select to add a Basic record. Then enter the realm and login credentials in the fields provided. The realm is a name associated with the protected area of the web application. It corresponds to the AuthName setting in a .htaccess file for Apache servers, and to the Realm value set for IIS servers.
Add Digest Record - Select to add a Digest record. Then enter the realm and login credentials in the fields provided. The realm is a name associated with the protected area of the web application. It corresponds to the AuthName setting in a .htaccess file for Apache servers, and to the Realm value set for IIS servers.
Add NTLM Record - Select to add an NTLM record. Then enter login credentials in the fields provided.
Realm (optional) - For NTLM server authentication, enter the Windows domain name containing the credentials supplied in User Name/Password. For HTTP Basic server authentication, enter the protected realm name. You can enter a maximum of 128 characters.
Username - Enter a username for authentication. You can enter a maximum of 128 characters.
Password - Enter a password for authentication.
We support four authentication types or grant types for creating an OAuth2 record: 1) Authorization Code, 2) Implicit, 3) Client Credentials, 4) Resource Owner Password Credentials.
Selecting the "Authorization Code" or "Implicit" grant type requires you to upload a valid Selenium script. We will prompt you to upload the Selenium script when you select either grant type. Click Choose File to upload a script from your local file system, or drag and drop the file into the Import File window. Use Qualys Browser Recorder to create a Selenium script. To learn more about Qualys Browser Recorder, refer to the WAS Online Help.
We support parameters for username and password in the selenium script. You can quickly update the username and password in the authentication record itself. Just add @@authusername@@ and @@authpassword@@ in the selenium script and then upload it in the Qualys WAS Authentication Record. After uploading the Selenium script, select the "Add credentials to Selenium Script" check box and enter the username and password. During the scan, we will replace @@authusername@@ and @authpassword@@ with this username and password. See "Authentication - The Basics" in the Online Help.
After successful upload, click View next to the script name to view the script contents. You'll notice sensitive contents are masked by default. Click Display to view the sensitive contents.
What is a valid script? Our service considers a Selenium script file as valid when: a) the file is an HTML file saved from Qualys Browser Recorder, b) the file contains at least one command, and c) the file contains an absolute path to each form requiring authentication.
How do I verify authentication was successful using the script? We recommend that you configure an option profile with a small number of links to crawl and these QIDs 150094 and 150095 to ensure authentication is working before launching a more extensive scan. One of these information gathered QIDs appears in the scan results as long as the QID is included in the selected option profile. QID 150094 appears if authentication was successful, and QID 150095 appears if authentication failed.
Enter the OAuth2 Implicit configuration. Required field is Redirect URL. Scope, Client ID, Client Secret, and Access token expired message pattern are optional fields.
Enter the OAuth2 Client Credentials. Required field is Access token URL. Required field is Access token URL. Scope, Client ID, and Client Secret are optional fields.
Enter the OAuth2 Resource Owner Password Credentials. Required fields are: Access token URL, User Name, and Password. Scope, Client ID, Client Secret, and Access token expired message pattern are optional fields.
Choose one or more authentication records from the drop-down or click Create to configure a new record. When you've chosen a record, you'll notice links that enable you to edit or view the record settings.
Comments
Enter comments to be saved with the authentication record for future reference. You can enter a maximum 2048 characters.