This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Web Security Scanner fails to authenticate (Non-Google account)

Posted on 01-14-2025 03:49 AM
Ricka
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have been trying to create a new Scan with "Non-Google account" authentication for a while and always fails with a FAILED_TO_AUTHENTICATE_TO_TARGET error code.

According to the documentation, the possible issues could be:

  • Using non-standard HTML form fields, for example, not using a password type.
  • Using a complicated login form, for example, a form that has more than a single username and password field.
  • Not saving an authentication cookie on successful login.
  • In some situations, the scanner is denied by counter-measures that are meant to protect against bots, DDOS, and other attacks.

I can confirm that a simple form is being used, it has no more that a single username and password field, a cookie is created after a successful login and the scanner is not denied access in any form.

Moreover, checking the application logs I can confirm that the Web Security Scan is able to login and a session cookie is created, but I'm still receiving a FAILED_TO_AUTHENTICATE_TO_TARGET error code and the Scan is not created.

Any help with the subject would be deeply appreciated.

0 4 355
Topic Labels
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
vaskenh
Staff
Reply posted on --/--/---- --:-- AM

Hi @Ricka, have you had a chance to forward your findings to GCP Support yet?

In this scenario, do the two fields in the form have names like username and password or are they named/typed as something else entirely?   If they are typed as something else, have you tried modifying them to be the above two values and trying again?

0 Likes

Posted on --/--/---- --:-- AM
nelsonlam
Staff
Reply posted on --/--/---- --:-- AM

To add to Vasken, have you tried to login using a different login?

Web scanner only works for App Engine, Google Kubernetes Engine (GKE), and Compute Engine web applications not BEHIND firewalls

0 Likes

Posted on --/--/---- --:-- AM
Ricka
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi, thanks for the feedback, I'm waiting on Support as well.

The application is not running behind a firewall, and currently accessed through a load balancer.

The form has a "password" name, type and id and a "username" name and id, typed as text.

 

0 Likes

Posted on --/--/---- --:-- AM
andras
Staff
Reply posted on --/--/---- --:-- AM

At this point support route could be possibly the best way forward. If it's possible, could you please update the post once you have some more details from support for any potential solution?

There are a few other things you can check in situations like this:

- You can try to change the 'User Agent' used by the Scanner, in case there are some issues between the User Agent used by the scanner and what the Application expects

- If the scan does not fail with the auth issue immediately then check for any short session timeouts 

- Use Developers tools in your browser and inspect the traffic between the application and your browser manually to see if there's anything unexpected (eg special redirects) happening; check if the cookie delivered to your browser have all the right flags enabled.

- Check for any Exclusion URL's defined for the scanner and remove any for testing which may relate to the traffic flow identified using the Developers Tools from the step before

- If possible enable some more verbose logs on the Application side and see if there's any specific error received on the App side after the initial successful authentication

0 Likes