Configuring and Verifying Form Authentication in Invicti Enterprise

This document is for:

Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

When using Invicti Enterprise to scan a web application that has a form-based login, you'll need to configure the credentials and verify the session. Session verification is important because you need to confirm that the configuration is correct. Also, the scanner can differentiate between a logged-in and a logged-out session.

Session verification allows the scanner to identify a terminated session, so if it happens during a web vulnerability scan, the scanner can automatically log back in again, ensuring all password-protected pages are scanned.

Form Authentication Fields

This table lists and describes the fields in the Form Authentication tab.

Field	Description
Form Authentication	Select to enable Form Authentication.
Login Form URL	Enter the absolute URL of the login form, including the protocol (http or https).
Override Target URL with authenticated page	Select to enable the system to use the last page from the authentication process as the start URL, instead of the Target URL.
Detect Bearer Authentication Token	If there is an AJAX request after the login is performed, Bearer Authentication Tokens will be intercepted and used during the scan.
Active	Select to enable the system to log in using the supplied credentials.
Username	Enter the username for the login form.
Password	Enter the password for the login form.
OTP	Enter the One-time Password for the login form.
Custom Scripts	If automatic authentication does not work for your website, you can click Custom Script and enter a JavaScript script that will be used to authenticate against the web application. For further information, see Custom Scripts for Form Authentication.

How to Verify Form Authentication

Log in to Invicti Enterprise.
From the main menu, select Scans > New Scan.
From the Scan Options section, select Form Authentication.
Select the Form Authentication checkbox.

Form Authentication Options in Invicti Enterprise

In the Login Form URL field, enter the URL of the login form whose credentials you want to configure.
In the Personas section, select New Persona. Then, enter a username and password.

You can specify multiple sets of credentials, and select the Active option next to the credentials Invicti Enterprise should use during the upcoming scan.

If required, select the ellipsis in the OTP field (see Configuring Form Authentication using an OTP).
Select Verify Login & Logout so the scanner can test the login and determine a pattern to use to automatically detect logged-in and logged-out sessions.

You can integrate Invicti Enterprise with secret management solutions so that you do not have to enter sensitive credentials to scan the web application.
For further information, see Integrating Invicti Enterprise with HashiCorp Vault and Integrating Invicti Enterprise with CyberArk Vault

Configuring Form Authentication Using an OTP

Invicti Enterprise supports form authentication using a One-Time-Password (OTP). By providing this type of 2FA via a Secret Key, Invicti Enterprise enables the OTP to be filled in automatically so that Invicti can access and can scan all sections of the target website.

Two OTP Types are supported:

Time-based (TOPT)
HMAC-based (HOPT)

OTP Fields

This table lists and explains the fields in the OTP Settings dialog.

Button/Section/Field	Description
OTP Type	This is the type of OTP. The two types are: TOPT is a temporary passcode that is generated by an algorithm that uses the current time of the day as one of its authentication factors. HOPT is a password algorithm that uses hash-based message authentication codes (HMAC).
Secret Key	This is a key that is used to generate the OTP and is provided by the target website.
Digit	This is the number of digits used to generate the OTP's length.
Period (seconds)	This is the time (in seconds) after which an OTP is regenerated.
Algorithm	This is the encrypted algorithm.
Generate OTP	Select to generate a token.

How to Configure Form Authentication Using an OTP

Log in to Invicti Enterprise.
From the main menu, select Scans > New Scan.
From the Scan Options section, select Form Authentication.
Select the Form Authentication checkbox.
In the Login Form URL field, enter the URL of the login form whose credentials you want to configure.
In the Personas section, click New Persona. Then, enter a username and password.
In the OTP field, select the ellipsis for the relevant persona.

In Form Authentication settings, every persona has its own OTP settings. OTP settings open with default values.
In OTP Settings, If you have a link with a copied otpauth protocol, the settings will be changed automatically based on that link.

In the OTP Type field, select the OTP type.
In the Secret Key field, enter the secret key.
In the Digit field, select an option.
In the Period field, enter an option.
In the Algorithm field, select an option.
Select Generate OTP. If successful, an OTP is displayed along with a message, 'OTP generated successfully.'.
Select OK to save this OTP for the selected persona.

What Happens When Verifying Form Authentication Configuration and Session

During the session verification process, the Verify Form Authentication window is displayed, showing the progress of the test.

Invicti Cloud verifying the credentials and the session by logging in on the target web application

During verification, the following happens:

On the left, the scanner logs in to the web application using the supplied credentials and displays a logged-in session.
On the right, the scanner displays how the web application looks when not logged in. It also displays the Logout Detection pattern.

Once the test is ready, it is important that you:

Confirm that both logged-in and logged-out sessions look as expected.
Confirm that the logout detection pattern is correct since this will be used by the scanner to identify a terminated session and log back in to continue the scan.

For further information, see Logout Detection.