When running a scan using HTML form-based authentication, you might receive the following message in your scan report and on the Vulnerabilities page:
The scan was not able to complete because the login information you provided stopped working mid-scan. You may need to exclude any "change password" or similar forms to verify the scan cannot alter its own login credentials.
Why This Happens
As part of the comprehensive web application vulnerability scan, the Barracuda Vulnerability Remediation Service will identify all of the forms in your application, and will submit those forms to test for vulnerabilities. A common pitfall is when the scanner identifies and submits the "change password" form. This might cause it to change the password to the account it is using to log in. When this happens, the scanner sees that it can no longer log in using the credentials you provided, and, therefore, aborts the scan.
How to Fix It
Find any forms on your application that might change or invalidate the credentials the scanner is using to log in. These forms could be:
- Change Password
- Change Username (less common)
- Delete Account
To ensure the scan can complete successfully, you must exclude the URLs of these forms.
- On the Scanner > Web Applications page, find the failed scan configuration.
- In the same row of the table, click the Edit link for that scan to edit the scan configuration.
- Select the Exclusions tab.
- Under Exclude URL patterns, enter the URLs of each of the above forms and click Add.
- Click OK to save your new scan.
- Click Run Now to run the scan again.
The exclusions you specified will appear in the completed report.