How to configure advanced authentication flows such as Http Basic Authentication, Login Forms, OAuth2 or SAML for your application
What is Application Authentication?
Many web applications rely on some sort of login mechanism to authenticate users. A full security scan of the application is in most cases only useful if the whole application (including all internal areas) is scanned. In the following several authentication methods are described to enable a scan of the whole web application.
Simple Authentication Methods
HTTP Basic Authentication
HTTP Basic authentication (also known as .htaccess protection) is an authentication method where an authorisation header with a base64 encoded username and password is sent to the server. To use this login method, configure the username and password on the project preferences page in the section System Authentication.
Login Form Authentication
When you need to enter username and password in a HTML login form, also provide the information on the project preferences page. Therefore, use the section Application Authentication and also provide the URL, where the login form is located.
Advanced Authentication Methods
For the advanced authentication methods, you need to implement the login using a custom script to retrieve the authentication information such as a session ID stored in a cookie or a JWT token.
SAML (Security Assertion Markup Language) is a XML Framework to exchange authentication and authorisation information. When using a SAML workflow, you need a script (CLIENT) to log in using your identity provider (IDP) and generate a session with the application that shall be scanned, the service provider (SP) and handover the credentials to the Crashtest Security Suite.
When writing your login script, you need to handle the following steps:
- CLIENT visits the IDP login page for the SP.
- CLIENT provides credentials to the IDP.
- IDP generates the SAML response and sends it to the CLIENT
- CLIENT posts the SAML response message to the SP
- SP authenticates the user based on the assertion and provides session information (e.g. session cookie)
- CLIENT sends a request to the Crashtest Security Suite to start a security scan including the session information
To check out, how to send the information to the Crashtest Security Suite (step 6) have a look at the Using Webhooks article. You can also set the session manually for a project:
OAuth 2 (Open Authorisation) is a protocol, which offers a secure and standardised way for API authentication. With an OAuth 2.0 workflow, a client gets an access token from an authorisation server (AS) that is used to authenticate with the software that shall be scanned. For OAuth 2, there exist several different authentication flows that can be used. A simple one is the Resource Owner Password Credentials Grant flow. Create a login script (CLIENT) that does the following:
- CLIENT sends a requests to the AS to generate an access token
- AS sends an access token to the CLIENT
- CLIENT sends a request to the Crashtest Security Suite to start a security scan including the access token
To check out, how to send the information to the Crashtest Security Suite (step 6) have a look at the Using Webhooks article. You can also set the session manually for a project.
If you have any questions, for example on how to handle Single-Sign-On (SSO) authentication, please don't hesitate to contact us.