Configuring scan authentication on target Web applications
Scanning Web applications at a granular level of detail is especially important, since publicly accessible Internet hosts are attractive targets for attack. By giving the scan inside access with authentication, you can inspect Web assets for critical vulnerabilities such as SQL injection and cross-site scripting.
Two authentication methods are available for Web applications:
Web site session authentication: The Scan Engine sends the target Web server an authentication request that includes an HTTP header—usually the session cookie header—from the logon page. See Creating a logon for Web site session authentication with HTTP headers.
The authentication method you use depends on the Web server and authentication application you are using. It may involve some trial and error to determine which method works better. It is advisable to consult the developer of the Web site before using this feature.
For HTTP servers that challenge users with Basic authentication or Integrated Windows authentication (NTLM), configure a set of scan credentials using the service called Web Site HTTP Authentication. To use this service, select Add Credentials and then Account in the Authentication tab of the site configuration. See Configuring site-specific scan credentials.