Troubleshooting Authentication Issues

Surface Discovery

Indicators of this issue
  • Response statuses include:
    • NexPloit::Session::AuthFlow::Error
    • 401
    • 405
  • Percentage of problematic statuses out of the total responses >10%
Configuration problems
  • The authentication object is configured incorrectly.
  • The wrong authentication object is selected for the scan.
  • Scan requires more than one type of authentication object.
  • Some specific entry points may need different authentication parameters (like HMAC headers).
Remediation suggestions
  • Create an authentication object that follows the design and flow of authorization within your web application. Bright has different types of authentication objects that can be used in scans. For the detailed information, see our documentation - Authentication Types.
  • If you need to get access to a scan target via the Repeater using the HMAC authorization, see Using Repeater Scripts.
  • Check the configuration of the exiting authentication object. For example, if you are using a Custom API Authentication object, check the validity of the regex and validate if your authorization data is correct. You can find more about regex in our documentation - String Interpolation Syntax.
  • Check if there is a need for HMAC script for additional authorization (if more headers are needed). In the Repeater script, you should specify how exactly the server calculates the HMAC code to allow Bright to provide a valid HMAC token. Bright can reach targets ONLY after a successful HMAC authorization with the relative server. For more information, see our documentation - Using Repeater Scripts.

📘

Note

If you need help with this issue, contact our support at [email protected] or via Intercom at the bottom right of the Bright app.


Did this page help you?