Is it possible to proceed a web app scan with credentials on Nessus (free version) on a website that sends requests to other sites during the authentication phase? Or if not, maybe using the PRO version would make it possible?

Hi all,

I have an issue on Nessus. I'm performing a Web App Scan with Credentials for a client. The method I used is a HTTP login form.

The pattern is as follows :

I have a first website called for example, "". I've entered its IP address for the audit. When I go on this website, it automatically redirects me to a second website, let's say "" that has another IP address. I enter my credentials on this second website and when I submit them, after analyzing the traffic, I can see the POST request is sent to a third website that I'll call "". This third website has the same IP Address than the first one.

Configuration of the HTTP login form :

  1. I've entered my Username and Password.
  2. The page where I enter my credentials is the second one, "". So I've put its URL onto "Login Page"
  3. Then, the login submission page is the page where the POST "request" is sent, so "".
  4. Login parameters : I've entered the parameters that I can see in the POST request (with a loginID, password, sessionExpiration, etc.)
  5. Check authentication on page : "" so I've entered "/dashboard"
  6. Regex to verify successful authentication : I've entered a word in the "/dashboard" page that I can read from my browser's console.

With that configuration, I got an error in the Vulnerabilites menu : HTTP login page which the output is "HTTP login failed : post-authentication test failed"

I have to precise that when I log in successfully, I have a GET response : a JWT authorisation from the IP address of "".

In fact there are two authentication methods : one with the cookie (login + password) and another one with the JWT authorisation.

Thank you very much for your help,

Touch here for the full post on Network Security Noblemen tumblr

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s