Many web applications rely on some sort of login mechanism to authenticate users. A full security scan of the application is in most cases only useful if the whole application (including all internal areas) is scanned. In the following several authentication methods are described to enable a scan of the whole web application.
HTTP Basic authentication (also known as .htaccess protection) is an authentication method where an authorisation header with a base64 encoded username and password is sent to the server. To use this login method, configure the username and password on the project preferences page in the section System Authentication.
Login Form Authentication
When you need to enter username and password in a HTML login form, also provide the information on the project preferences page. Therefore, use the section Application Authentication and also provide the URL, where the login form is located.
For the advanced authentication methods, you need to implement the login using a custom script to retrieve the authentication information such as a session ID stored in a cookie or a JWT token.
SAML (Security Assertion Markup Language) is a XML Framework to exchange authentication and authorisation information. When using a SAML workflow, you need a script (CLIENT) to log in using your identity provider (IDP) and generate a session with the application that shall be scanned, the service provider (SP) and handover the credentials to the Crashtest Security Suite.
When writing your login script, you need to handle the following steps:
To check out, how to send the information to the Crashtest Security Suite (step 6) have a look at the Using Webhooks article. You can also set the session manually for a project:
OAuth 2 (Open Authorisation) is a protocol, which offers a secure and standardised way for API authentication. With an OAuth 2.0 workflow, a client gets an access token from an authorisation server (AS) that is used to authenticate with the software that shall be scanned. For OAuth 2, there exist several different authentication flows that can be used. A simple one is the Resource Owner Password Credentials Grant flow. Create a login script (CLIENT) that does the following:
To check out, how to send the information to the Crashtest Security Suite (step 6) have a look at the Using Webhooks article. You can also set the session manually for a project.
If you have any questions, for example on how to handle Single-Sign-On (SSO) authentication, please don't hesitate to contact us.