β οΈ If you're thinking of an admin user when adding authentications, please read this article first: Adding an admin user when adding authentications
β οΈ If you're unsure of where to find the info needed, we have just the article for you.
πΉ Prefer a video walkthrough?
We also have a video tutorial on adding Header-based authentication which you can find here:
Before you start
Header-based authentication can be used to send a specific header to the endpoint with every request
Adding a new target with authentication
Throughout this example, we will be using vulnerablesite.intrud.es where we are hosting our test application.
β
β οΈ If you're unsure where to find the parameters needed, we have just the article for you.
Targets >
Add target>External web application
β
Type the target into the top box, add the Entrypoint URL and any tags (if applicable), and then click the
Add targetbutton.
β
Select the '
Header Authentication' option and add the relevant parameters to the configuration, then click the 'Save and veridy authentication ->' button.
β
From here you can add the Header Authentication configuration:
β
β
Adding the Authentication to a pre-existing target
Head back to Targets > All >
...>Add authentication
β
Select the '
Header Authentication' option and add the relevant parameters to the configuration, then click the 'Next ->' button.
β
Adding the authentication
Throughout this example, we will be using 178.79.154.6 where we are hosting our test application, you may use a fully qualified domain name (FQDN) or IP address.
β
Adding the credentials
Throughout this example, we will be using 178.79.154.6 where we are hosting our test application, you may use a fully qualified domain name (FQDN) or IP address
Entrypoint URL
In this example, we are starting our scan from the /headers/ page of our application (http://178.79.154.6/headers/). Unlike form-based authentication there is no login URL, instead the headers you define are sent with every request.
Logout URL
In our example we specify that there is a Logout URL which we want to exclude from scanning (http://178.79.154.6/headers/logout). If your application uses Header authentication, it's possible that you do not have a logout URL. Currently (v1.0) this field is mandatory, so you will need to provide some information here, you can set this path to something that definitely won't exist if needed to progress to the next stage.
Header name
We specify a Header Name of X-Auth-Token with the Header Value set to Bearer Tm90IGEgdmFsaWQgYXV0aCB0b2tlbg==. This is a standard bearer token which is used by many API endpoints. You can add multiple headers if you need to.
β
It's worth noting that the header token needs to last long enough for a scan to run β we would recommend at least a few hours, 24 hours if possible.
Verifying the authentication
In progress
Before you get any responses, it'll look like this:
β
Complete
Given how nuanced apps are, we don't presume the accuracy of authentication β instead, we show you what the scanner encountered and allow you to decide whether it has worked or not (the screenshot in particular is helpful, as you can use that to gauge if the scanner can access pages behind the login).
You could get any combination of results, here are just a few:
β
Managing authentication
Once you've completed this information you will see the authentication appear under the Authentications tab.
To disable an authentication
Click ... > Disable:
β
And the modal will update to this:
β
βTo re-enable, just click the ellipsis again > Enable:
β
To check the status of the authentication
Click the ellipsis > Check status:
β
The next modal to pop up will be this one, where you can Confirm the authentication; edit the details or close the modal and disable the authentication.
β
