HTTP authentication
Web servers may require users to authenticate themselves, presenting the user with a dialog to fill in a username and password. This information is sent to the web server in the "Authorization: Basic" header.
If your Target requires this type of authentication, you can specify the login URL, username, and password in the fields provided for Invicti Platform to use when it encounters an HTTP Authentication request by the web server. You can configure your Target by doing the following:
- Select Inventory > Targets from the left-side menu.
- Locate the target you would like to amend, using the three-dot menu (⋮), then select Edit target.
- Select Authentication from the menu.
- Select HTTP (Basic, Digest, NTLM, and Kerberos) as Authentication method.
- Enter URL, username, and password.
The URL field acts as a prefix filter. The scanner only attaches the credentials to requests whose URL starts with the value you enter. Set this to the site root (e.g., https://example.com/) or the deepest directory that covers all protected resources. If you enter a path to a specific file (e.g., https://example.com/app/login.html), credentials are sent only to that file. All other requests - stylesheets, scripts, images, and API calls - are sent without credentials and return 401.
- Click Save target configuration to confirm.
Common scan warnings
-
HTTP Authentication required on: {path} The scanner reached a page that requires HTTP authentication but no credentials were configured. Add HTTP authentication credentials in the scan settings and retry the scan.
-
Main page loads but most discovered URLs return 401 The Credential URL is set to a specific file rather than a directory or site root. The scanner authenticates that one URL and leaves all other requests unauthenticated. Change the Credential URL to the site root or the highest directory that covers all protected resources.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center