How to scan behind login

Most web applications have areas that are accessed by everyone and areas that are only accessible to users with an account. An example of this could be users logging in to an e-commerce site or a forum, as well as a protected development or pre-production environment.

A user often has access to more functionality when logged in, e.g. posting comments on a forum, uploading pictures to their profile, or completing a purchase. This is why a comprehensive security evaluation of any web application needs to be able to assess behavior behind a login. For that purpose, we provide different means of authentication options in Application Scanning.

You can allow Application Scanning to assess the content behind login using three methods under Application Scanning settings.

Recoded login

Using The Detectify Recorder Chrome extension for Google Chrome you can record a login scenario as a series of actions that are replayed at the beginning of the scan to reach the logged in state, and then perform all discovery and assessment in this state.

When uploading a recording, you can validate its behavior, which indicates how it will function during the scan. Read more about Recorded Login, and the Recorded Login plugin documentation.

Basic Auth

You can provide a username and password as basic authentication, that will be sent with all HTTP requests to your web application during the scan.

Please make sure to create separate credentials for Detectify accessing your web application, and do not reuse existing credentials since this will obstruct attempts to properly log access to your site.

Session Cookie

You can provide a session cookie that will be sent with all HTTP requests to your web application during the scan. You can extract a session cookie using your browser.

The cookie must have a name, a value and a domain where it applies. Optionally, the cookie can be specified as secure or HTTP-only. 

Please note that session cookies generally expire within a limited period of time, and therefore may not be suitable to maintain the session between scans, or you must replace the session cookie for each scan you start. Unless you have a way to keep sessions alive, we recommend using this option only if the other authentication options are unavailable to you.

FAQ

Q: I have very different behaviors in my web application with and without login, can I test both?

A: You can create multiple scan profiles for the same web application with one having the authentication specified, and the other not. That way you will have both behaviors tested.

Q: If Detectify is unable to hack in the logged in area without providing the authentication, doesn’t that mean my content behind it is secure?

A: Content behind login can only be as secure as the login itself. Even if there is no means to publicly register accounts for your application, hackers can find other ways to gain access by stealing login credentials, for example using phishing attacks or by means of social engineering. Hence, we always recommend limiting the damage a hacker can do, even if they gain access to that content by ensuring they cannot access more than the user, whose credentials were stolen, is able to access.