0

I'm trying to configure credentials to do a authenticated scan of a web application on the HTTP Login Form.

The application use json parameters to send the credentials, i'm using the "HTTP login form" but the login ends up failing all the time.

The application send the credentials via a POST request like so : {username: "user", password: "password"}

So as "Login parameters" I put : {username: "user", password: "password"}

After I run the scan I get the message "HTTP Login failed; post authenticaton failed". Would someone be able to point me in the right direction, please?

Thanks!

Venom2901
  • 19
  • 1
  • 4
  • I'd suggest putting the field names in quotes and increasing log verbosity for that scan (Configure > Settings > Report > Override normal verbosity) – xikkub Nov 07 '20 at 00:03
  • Still doesn't work unfortunately. I am starting to think Nessus cannot do JSON based authentication – Venom2901 Nov 10 '20 at 14:27
  • I've noticed this as well, unfortunately. Despite having a correct request body, Nessus uses a `Content-Type` header of `application/x-www-form-urlencoded` instead of `application/json` expected by the application. – xikkub Nov 10 '20 at 20:16
  • So is there a workaround or can Nessus not do a jwt authenticated scan? Any other tools that you recommend that does jwt authentication? – Venom2901 Nov 10 '20 at 20:18

0 Answers0