All Collections
Authenticated Scanning
Authenticating HawkScan to applications using Basic Auth
Authenticating HawkScan to applications using Basic Auth

Configuring HawkScan to authenticate to your target applications using HTTP Basic Authentication

Anthony Stinn avatar
Written by Anthony Stinn
Updated over a week ago

Overview

In order to scan applications which use HTTP Basic Access Authentication (or Basic Auth over HTTPS), the replacer configuration must be added to stackhawk.yml.

This is because the typical Form Based and Token or Cookie Injection configurations for authenticated scanning do not result in the Basic Auth header being populated.

The replacer configuration can be used to either inject or replace headers; in the procedure below, we'll be configuring HawkScan to inject the Basic Auth header on every request.

Procedure

Assuming that the application requires only Basic Auth headers in order to access protected routes, a replacer section will need to be added to stackhawk.yml which contains:

  • header name = "Authorization"

  • auth scheme = "Basic"

  • base 64-encoded string corresponding to your <username>:<password>

  • direction on when to send the basic auth header (every time, in this case)

In stackhawk.yml, the above becomes:

hawkAddOn:
  replacer:
    rules:
    - matchString: "Authorization"
      replacement: "Basic a2Fha2F3dzprYWFrYXd3"
      replaceOnly: false

This configuration will inject the Basic Authorization header into each request made by the scanner.

Note:

The above example is for illustration purposes; a better practice is to use Environment Variable Runtime Overrides to inject the credentials into stackhawk.yml (in this case, into the replacement string) at runtime rather than have them statically configured in that file.

Exception:

Not all Basic Auth implementations will authenticate only by means of sending the Basic Auth header--they may have separate login mechanisms in addition to the Basic Auth header requirement.

  • In that case, the replacer configuration above can be combined with app.authentication configuration to provide both initial authentication and ongoing inclusion of the Basic Auth header.

Additional Information

See Inject a New Header for a more detailed example of header injection.

For a Deep Dive into authenticated scanning with HawkScan, see this recording of our Technical Workshop on Authenticated Security Testing:

Related Articles
Authenticating HawkScan to applications using an API Key
Authenticating HawkScan to applications using custom JSON payloads
Token authorization examples in HawkScan
Getting Started Guide: Authenticated Scanning
Authenticating HawkScan to applications using token injection
Did this answer your question?