When running a scan using HTML Form-based authentication, you may receive the following message in your scan report:
The scan was not able to complete because the login information you provided stopped working mid-scan. You may need to exclude any "change password" or similar forms to verify the scan cannot alter its own login credentials.
Why This Happens
As part of the comprehensive web application vulnerability scan, Barracuda Vulnerability Manager will identify all of the forms in your application, and will submit those forms to test for vulnerabilities. A common pitfall is when the scanner identifies and submits the "change password" form. This may cause it to change the password to the account it is using to log in. Once this happens, the scanner will see that it can no longer log in using the credentials you provided, and abort the scan.
How to Fix It
Find any forms on your application that may change or invalidate the credentials the scanner is using to log in. These forms could be:
- Change Password
- Change Username (less common)
- Delete Account
To ensure the scan can complete successfully, you must exclude the URLs of these forms.
- On the Finished Scans page, find the failed scan.
- In the same row of the table, click the Copy link for that scan. This will create a copy of the failed scan.
- In the Scan Configuration window, choose whether to keep the same scan name or type a new name.
- Select the Exclusions tab.
- Under Exclude URL patterns, enter the URLs of each of the above forms and click Add.
- Click Start Scan to run the scan again. The exclusions you specified will appear in the completed report.