Help Center> Vulnerability Scan Service> FAQs> About Operations> Why Does Domain Name Authentication Fail?
Updated on 2022-02-24 GMT+08:00

Why Does Domain Name Authentication Fail?

Why Is Domain Name Authentication Required?

Different from conventional scanning tools, VSS assessments are performed based on automatic penetration testing, that is, sending non-malicious attack packets to the target. Therefore, ensure that you own the website to be scanned.

Authentication Methods Supported by VSS

  • Document Authentication: upload the authentication document to the root directory of the website.
  • One-Click Authentication: for tenants on HUAWEI CLOUD

Reasons for Failure of Document Authentication

  • The authentication document is not saved in the root directory of the website.

    Upload the authentication document to the root directory of the website by referring to How Do I Upload an Authentication Document to the Root Directory of a Website? and perform authentication again.

  • Failed to obtain the certificate file.

    The possible causes are as follows:

    • The website is unavailable. Access http://{your website}/hwwebscan_verify.html. If the website cannot be accessed, the website is unavailable.
    • The website is using Web Application Firewall (WAF). Whitelist the VSS IP addresses. For details, see What Should I Do When a Website Scan Fails with a Message Displayed Indicating Connection Timeout?.
    • The certificate file is placed in the wrong directory or the website is mapped. In this case, error code 404 is returned when accessing the certificate file. Place hwwebscan_verify.html in the directory as the same level as index.php/index.jsp/index.html and then access the certificate file again.
  • Failed to verify the certificate.

    If the system displays a message indicating that certificate verification fails, the certificate file can be accessed.

    The possible causes are as follows:

    • The certificate content is incorrect. Check whether the content of the uploaded hwwebscan_verify.html file is consistent with that obtained from accessing http://{your website}/hwwebscan_verify.html. If not, delete the hwwebscan_verify.html file, and download and upload it again. Then check whether you are verified for the website. If the verification still fails, you are advised to view the source code of the http://{your website}/hwwebscan_verify.html page (right-click View page source). If the tag information is displayed, the uploaded certificate file has been tampered with.
      NOTE:
      • You are advised to place the hwwebscan_verify.html file in the same directory as the index file. Do not copy and paste the file content.
    • The website is using Web Application Firewall (WAF). Whitelist the VSS IP addresses. For details, see What Should I Do When a Website Scan Fails with a Message Displayed Indicating Connection Timeout?.
  • The domain name information does not comply with rules and regulations.

    This type of website cannot use VSS. For details, see Which Websites Are not Supported by VSS?.

Reasons for Failure of One-Click Authentication

One-click authentication applies only to the following two types of users:

  • Users who are using WAF
  • Users whose websites' EIPs are those of HUAWEI CLOUD North China, East China, South China, and Northeast China

The possible causes are as follows:

  • You are not one of the two types of users.
  • You are a WAF user but WAF and VSS are not subscribed using the same account, the authentication fails because only the WAF account can be used to view the back-to-source IP address of WAF.
  • The EIP to be scanned is not purchased using the VSS account.
  • The domain name information does not comply with rules and regulations.

    This type of website cannot use VSS. For details, see Which Websites Are not Supported by VSS?.

About Operations FAQs

more