I have scanned my website using Nessus. But I need to scan it as a logged in user since most of the URLs are accessible only if we are logged in. How can I set website login credentials in Nessus?
2
-
Login mechanisms differs from site to site, can't you just disable the login mechanism or make an auto-login from a certain IP? Otherwise try your favorite search engine– HamZaCommented Apr 30, 2014 at 10:08
-
I have searched in google before asking here..didn't get solution..'Scaning by login mechanism disabled' seems good idea..Will check that...– HarikrishnanCommented Apr 30, 2014 at 17:00
Add a comment
|
3 Answers
Nessus 5 made a change: It's in the Preferences section:
- Login configurations
- HTTP login page
There you can set your HTTP credentials/settings.
This is a basic check in the documentation. Why go Google, when you can RTFM....
answered Apr 30, 2014 at 17:53
Nessus has the information posted on their page with a full walk through. http://www.tenable.com/tips/how-to-enable-credentialed-checks-on-windows
-
2No. It's for log in to the remote host (Remote login) and scan. It's not for website login. Commented Apr 30, 2014 at 16:52
-
Munkeyoto has the right idea, but the wrong section. There's a section for basic authentication.– schroeder ♦Commented Apr 30, 2014 at 17:47
There are two ways:
Cookie import: First you have to export them from your browser in netscape format. Read more here
Http Login Parameters: An article demonstrating this option is here.
Moreover, the steps as described in the documentation are the following:
- Create new scan
- Web Application Tests
Credentials: which are filled out like these (taken from documentation):
- Username: Login user’s name.
- Password: Password of the user specified.
Login page: The absolute path to the login page of the application, e.g., /login.html
Login submission page: The action parameter for the form method. For example, the login form for: would be: /login.php
Login parameters: Specify the authentication parameters (e.g., login=%USER%&password=%PASS%). If the keywords %USER% and %PASS% are used, they will be substituted with values supplied on the Login configurations drop-down menu. This field can be used to provide more than two parameters if required (e.g., a group name or some other piece of information is required for the authentication process).
Check authentication on page: The absolute path of a protected web page that requires authentication, to better assist Nessus in determining authentication status, e.g., /admin.html.
Regex to verify successful authentication: A regex pattern to look for on the login page. Simply receiving a 200 response code is not always sufficient to determine session state. Nessus can attempt to match a given string such as Authentication successful
However, in my case (drupal 6), it couldn't authenticate
