HTTP authentication over form authentication

About this task

In some instances an application may use both types of authentication. HTTP authentication may be used generally on all pages, while Form authentication is used to protect specific administrator areas. In such cases you will probably want to run both types of test.

HTTP Authentication: This is tested as described above (see HTTP authentication)

Form Authentication: To test this you need to provide Authentication Tester with the actual username and password for the HTTP authentication. This will enable it to "get past" the HTTP authentication and test the Form authentication on these pages.

Procedure

  1. In the Authentication Tester main window, select the Form Authentication radio button.
  2. Configure Form Authentication (see Form authentication).
  3. Click Advanced.

    The Advanced Configuration dialog box opens (with the General tab on top).

  4. In the HTTP authentication over Form authentication area select the Enable checkbox.

    The Username, Password and Domain fields become active.

  5. Type in valid HTTP authentication credentials for Authentication Tester to use when testing Form Authentication pages.
  6. If the HTTP login window requires a domain, enter the correct domain name in the Domain field.
  7. Click OK to close the dialog box.

    You can now run brute force tests using the current configuration (see Running authentication tests).