All Collections
Authenticated Scanning
Authenticating HawkScan to applications using JSON POST
Authenticating HawkScan to applications using JSON POST

How to authenticate HawkScans to applications by sending a JSON POST containing user credentials

Anthony Stinn avatar
Written by Anthony Stinn
Updated over a week ago

Overview

HawkScan's usernamePassword configuration includes a JSON type option which submits credentials to the target application as a JSON blob.

By combining this JSON variant of the usernamePassword configuration (an AuthN mechanism) with the appropriate Authorization (AuthZ) mechanism (such as tokenExtraction and tokenAuthorization), you can authenticate HawkScan to applications -- such as REST API's -- that commonly use this form of authentication.

Examples

Basic Example (AuthN)

In this example, we use the JSON POST approach to submit credentials via a simple JSON payload:

usernamePassword:
  type: JSON
  loginPath: /login
  usernameField: email
  passwordField: password
  scanUsername: ${EMAIL} # e.g., "test@test.com"
  scanPassword: ${PASSWORD} # e.g., "changeme"

This configuration will result in a POST to the /login url relative to your configured app.host url (e.g., https://localhost:3000/login) which contains the following JSON payload:

{"email": "test@test.com","password": "changeme"}

otherParams Example (AuthN)

otherParams can also be added which add additional key/value pairs within this JSON payload.

For example:

usernamePassword:
  type: JSON
  loginPath: /login
  usernameField: email
  passwordField: password
  scanUsername: ${EMAIL} # e.g., "test@test.com"
  scanPassword: ${PASSWORD} # e.g., "changeme"
  otherParams:
    - name: rememberMe
      val: 'true'

Which results in this payload:

{"rememberMe": "true","email": "test@test.com","password": "changeme"}

With accompanying header:

content-type: application/json

Managing Authorization (AuthZ)

Once the scanner submits the credentials via JSON POST, the application will return an authorization mechanism -- for instance, a JSON Web Token (JWT) -- in its response if authentication succeeded.

HawkScan's AuthZ configuration tells the scanner how to extract that AuthZ mechanism and how to send it to the application going forward.

For example, using token Authorization:

tokenExtraction: 
  type: TOKEN_PATH
  value: token
tokenAuthorization: 
  tokenType: Bearer
  type: HEADER
  value: Authorization

The above tells the scanner to 1) look for a token named 'token' in the response body from the application and 2) send it to the application going forward as an Authorization header containing "Bearer <tokenvalue>".

See Token authorization examples for additional token configuration guidance.


Additional Information

JSON POST Demo

Scanning the javaspringvulny application using JSON POST authentication and JWT Token authorization:

Custom JSON Payloads

For JSON POST scenarios that require a more customized JSON payload than represented above (for instance, nested credentials), see Authenticating HawkScan to applications using custom JSON payloads.

Related Articles
Authenticating HawkScan to applications using an API Key
Authenticating HawkScan to applications using custom JSON payloads
Getting Started Guide: Authenticated Scanning
Authenticating HawkScan to applications using login forms
Authenticating HawkScan to applications using token injection
Did this answer your question?