How to fix Scan Behind Login errors?
If you have configured the Scan Behind Login feature but the login recording is giving errors, it could be because of the following reasons listed below:
If you are hosting the web asset behind a firewall for security reasons, you have the option to whitelist the scanner IPs to facilitate scans within a restricted environment. That will allow our services to access your website with security. Please follow this article for more details. All requests originating from our automated scanner will exclusively use the following set of static IPs:
You can add these IPs to the allow-list in your application firewall, login system, captcha, MFA etc.
34.69.226.239
35.193.102.27
12.202.180.108
34.136.217.65
35.222.104.14
104.154.201.208
34.27.197.32
34.135.0.247
172.103.34.69
34.70.219.138
104.154.186.213
34.69.130.106
34.135.25.35
34.66.6.242
34.41.10.119
Make sure the username and password provided o our portal while recording the login is correct and have the required permission to access the asset.
CAPTCHA solutions are designed to stop automated systems, and only allow human beings. It is often seen that these block automated vulnerability scanners.
If you are scanning a non-production site, you can choose to disable the server-side captcha verification. This will require some code-level changes in your application.
You can either disable the verification entirely or choose to only disable it for the Astra Vulnerability Scanner. To identify the scanner, you can add a unique HTTP header from the Scanner Setup.
You can log in to the application in your browser to capture an authenticated cookie. You can then add this in the Extra Headers step in the Scanner Setup
If you need assistance with recording a login sequence - create a support ticket or reach out to your account manager
2 Factor authentication is essential to web security because it immediately neutralizes the risks associated with compromised passwords. If a password is hacked, guessed, or even phished, that's no longer enough to give an intruder access: without approval at the second factor, a password alone is useless.
If you are scanning a non-production site, you can choose to make 2FA code a static one, that will be the same every time. This will require some code-level changes in your application.
Website is not reachable
Solution 1: The website is behind a firewall
If you are hosting the web asset behind a firewall for security reasons, you have the option to whitelist the scanner IPs to facilitate scans within a restricted environment. That will allow our services to access your website with security. Please follow this article for more details. All requests originating from our automated scanner will exclusively use the following set of static IPs:
You can add these IPs to the allow-list in your application firewall, login system, captcha, MFA etc.
34.69.226.239
35.193.102.27
12.202.180.108
34.136.217.65
35.222.104.14
104.154.201.208
34.27.197.32
34.135.0.247
172.103.34.69
34.70.219.138
104.154.186.213
34.69.130.106
34.135.25.35
34.66.6.242
34.41.10.119
Invalid Credentials
Solution 1: Correct Username/Password with proper permissions
Make sure the username and password provided o our portal while recording the login is correct and have the required permission to access the asset.
Login page is protected by a Captcha
CAPTCHA solutions are designed to stop automated systems, and only allow human beings. It is often seen that these block automated vulnerability scanners.
Solution 1: Disable the captcha verification
If you are scanning a non-production site, you can choose to disable the server-side captcha verification. This will require some code-level changes in your application.
You can either disable the verification entirely or choose to only disable it for the Astra Vulnerability Scanner. To identify the scanner, you can add a unique HTTP header from the Scanner Setup.
Solution 2: Use the HTTP Header method
You can log in to the application in your browser to capture an authenticated cookie. You can then add this in the Extra Headers step in the Scanner Setup
If you need assistance with recording a login sequence - create a support ticket or reach out to your account manager
Login page is protected by a 2FA mechanism
2 Factor authentication is essential to web security because it immediately neutralizes the risks associated with compromised passwords. If a password is hacked, guessed, or even phished, that's no longer enough to give an intruder access: without approval at the second factor, a password alone is useless.
Solution 1: Static 2FA Code
If you are scanning a non-production site, you can choose to make 2FA code a static one, that will be the same every time. This will require some code-level changes in your application.
Updated on: 01/10/2024
Thank you!