Sometimes, default scanning will be insufficient to detect potential security risks on the website, for a number of reasons such as:

  • Website allows users to register for accounts. Scanner cannot scan APIs unless it is signed in
  • Administrators and website developers have some configuration to block automatic scanning of hackers
  • ...

In these cases, you should configure Advanced Scan when creating a new scan, or when creating a Scan Schedule. Advanced Scan allows:

  • Customize some HTTP Header that scanner will send to websites when scanning for vulnerabilities
  • Help scanner to be authenticated to websites through one of the following methods:

           - Basic authentication
           - Cookies authentication
           - Form authentication (username and password)

Basic authentication

This is the simplest way to authenticate, but very few sites use it. If your website is using basic authentication to authenticate, enter:

  • username
  • password

Cookie authentication

Almost all websites now uses cookies to authenticate users. You will need to enter:

  • Cookies: Cookies Content in HTTP header field
  • Logout URL: URL used to log out of the website (not required). CyStack Scanning will avoid accessing to this URL to keep the cookie’s session and keep signed in while scanning for vulnerabilities.

Form authentication 

In case the authentication session of the scanner to the website expired, or is signed out halfway, scanner probably cannot scan all resources and API on the website. If using this authentication method, scanner will automatically log in again when session authentication is invalidated. To use it, you need to enter:  

  • Username field, username: Username variable and its value sent to the website
  • Password field, password: Password variable and its value sent to the website
  • Authentication URL: URL used for authentication
  • Check URL: URL scanner access to the website to determine whether the session is authenticated
  • Check string: Signs to determine whether the session is authenticated or not. This is in the response when accessing to the Check URL
  • Logout URL: URL used to log out of the website (not compulsory). CyStack Scanning will avoid accessing to this URL to keep your cookie’s session and keep signed in while scanning for vulnerabilities.

Did this answer your question?