Articles on: Getting Started (Pentest)

How to fix Scan Behind Login errors?

If you have configured the Scan Behind Login feature but the login recording is giving errors, it could be because of the following reasons listed below:

Website is not reachable

Solution 1: The website is behind a firewall

If you are hosting the web asset behind a firewall for security reasons, you have the option to whitelist the scanner IPs to facilitate scans within a restricted environment. That will allow our services to access your website with security. Please follow this article for more details. All requests originating from our automated scanner will exclusively use the following set of static IPs:

Invalid Credentials

Solution 1: Correct Username/Password with proper permissions

Make sure the username and password provided o our portal while recording the login is correct and have the required permission to access the asset.

Login page is protected by a Captcha

CAPTCHA solutions are designed to stop automated systems, and only allow human beings. It is often seen that these block automated vulnerability scanners.

Solution 1: Disable the captcha verification

If you are scanning a non-production site, you can choose to disable the server-side captcha verification. This will require some code-level changes in your application.

You can either disable the verification entirely or choose to only disable it for the Astra Vulnerability Scanner. To identify the scanner, you can add a unique HTTP header from the Scanner Setup.

Solution 2: Use the HTTP Header method

You can log in to the application in your browser to capture an authenticated cookie. You can then add this in the Extra Headers step in the Scanner Setup.

If you need assistance with recording a login sequence - create a support ticket or reach out to your account manager

Login page is protected by a 2FA mechanism

2 Factor authentication is essential to web security because it immediately neutralizes the risks associated with compromised passwords. If a password is hacked, guessed, or even phished, that's no longer enough to give an intruder access: without approval at the second factor, a password alone is useless.

Solution 1: Static 2FA Code

If you are scanning a non-production site, you can choose to make 2FA code a static one, that will be the same every time. This will require some code-level changes in your application.

Updated on: 28/11/2023

Was this article helpful?

Share your feedback


Thank you!