How to fix Scan Behind Login errors?
If you have configured the Scan Behind Login feature but the login recording is giving errors, it could be because of the following reasons listed below:
If you are hosting the web asset behind a firewall for security reasons, you have the option to whitelist the scanner IPs to facilitate scans within a restricted environment. That will allow our services to access your website with security. Please follow this article for more details. All requests originating from our automated scanner will exclusively use the following set of static IPs:
34.69.226.239
35.193.102.27
34.136.217.65
35.222.104.14
104.154.201.208
34.27.197.32
Make sure the username and password provided o our portal while recording the login is correct and have the required permission to access the asset.
CAPTCHA solutions are designed to stop automated systems, and only allow human beings. It is often seen that these block automated vulnerability scanners.
If you are scanning a non-production site, you can choose to disable the server-side captcha verification. This will require some code-level changes in your application.
You can either disable the verification entirely or choose to only disable it for the Astra Vulnerability Scanner. To identify the scanner, you can add a unique HTTP header from the Scanner Setup.
You can log in to the application in your browser to capture an authenticated cookie. You can then add this in the Extra Headers step in the Scanner Setup.
If you need assistance with recording a login sequence - create a support ticket or reach out to your account manager
2 Factor authentication is essential to web security because it immediately neutralizes the risks associated with compromised passwords. If a password is hacked, guessed, or even phished, that's no longer enough to give an intruder access: without approval at the second factor, a password alone is useless.
If you are scanning a non-production site, you can choose to make 2FA code a static one, that will be the same every time. This will require some code-level changes in your application.
Website is not reachable
Solution 1: The website is behind a firewall
If you are hosting the web asset behind a firewall for security reasons, you have the option to whitelist the scanner IPs to facilitate scans within a restricted environment. That will allow our services to access your website with security. Please follow this article for more details. All requests originating from our automated scanner will exclusively use the following set of static IPs:
34.69.226.239
35.193.102.27
34.136.217.65
35.222.104.14
104.154.201.208
34.27.197.32
Invalid Credentials
Solution 1: Correct Username/Password with proper permissions
Make sure the username and password provided o our portal while recording the login is correct and have the required permission to access the asset.
Login page is protected by a Captcha
CAPTCHA solutions are designed to stop automated systems, and only allow human beings. It is often seen that these block automated vulnerability scanners.
Solution 1: Disable the captcha verification
If you are scanning a non-production site, you can choose to disable the server-side captcha verification. This will require some code-level changes in your application.
You can either disable the verification entirely or choose to only disable it for the Astra Vulnerability Scanner. To identify the scanner, you can add a unique HTTP header from the Scanner Setup.
Solution 2: Use the HTTP Header method
You can log in to the application in your browser to capture an authenticated cookie. You can then add this in the Extra Headers step in the Scanner Setup.
If you need assistance with recording a login sequence - create a support ticket or reach out to your account manager
Login page is protected by a 2FA mechanism
2 Factor authentication is essential to web security because it immediately neutralizes the risks associated with compromised passwords. If a password is hacked, guessed, or even phished, that's no longer enough to give an intruder access: without approval at the second factor, a password alone is useless.
Solution 1: Static 2FA Code
If you are scanning a non-production site, you can choose to make 2FA code a static one, that will be the same every time. This will require some code-level changes in your application.
Updated on: 28/11/2023
Thank you!