Skip to main content

Scan authenticated targets

This document is for Invicti Platform

Most web applications and websites require some form of authentication—either as a whole or in an area. While some scanners can detect standard authentication forms, in the case of many custom web applications, you need a mechanism to repeat the steps that a human would take.

Invicti Platform provides several options for scanning authenticated targets, including an automated mechanism that detects and handles standard login forms with the login data that you supply. For more complex web applications, you can launch the Invicti Platform Login Sequence Recorder (LSR) and record a login sequence (*.lsr file) that's uploaded and saved with your target settings. If your web asset uses One-Time Passwords (OTP), these can be included in the automated login mechanism and recorded login sequence. Invicti also supports scanning web assets with OAuth 2.0 authentication flows.

This document outlines the main configuration steps required for Invicti Platform to scan an authenticated target. For full instructions, refer to the listed documents.

Steps to scan an authenticated target

  1. Create a target. For detailed instructions, refer to the Add a new target document.
  2. Open the target in edit mode, and select Authentication.
  3. Specify the Authentication method.
Authentication method selection.

  1. Fill in the required fields for your chosen authentication mechanism or record a login sequence. Ensure you also set up OTP with the automated login mechanism and recorded login sequence if required. For detailed instructions, refer to the relevant documentation:

  2. Select Save target configuration to confirm. The target is updated, and the preferred authenticated method is used the next time you run a scan.

  3. Select Scan and select Run scan with default or Run custom scan.

Run scan with default or custom scan
  1. Invicti queues the scan and initiates scanning according to the schedule you specify in the scan options.

Scan results

The Scan details page displays the progress and results of the scan. You can check the Site Structure tab on the Scan details page to confirm that the authenticated areas of your target were scanned.

For more information, refer to the Review scan results document.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?