Authenticated Scanning: An Overview
In order to conduct an effective DAST scan of your applications, your scanning tool needs to access those paths within the applications which are protected by authentication.
Fortunately for you, HawkScan can be configured to access these routes using numerous authentication mechanisms, ranging from simple form-encoded POST authentication (as configured in stackhawk.yml) to complex and custom authentication flows (through injection mechanisms and/or HawkScan's custom authentication scripting engine).
This article provides:
an overview of the relevant concepts you'll need to consider
resources and examples to help you configure HawkScan to authenticate to your specific application(s)
Phases of Authenticated Scanning
Phases of an authenticated scan (high level):
Authenticate to the application (AuthN)
Obtain an Authorization (AuthZ) mechanism from the application
Determine whether authentication succeeded (use the AuthZ mechanism to visit a path that requires its presence; check for success or failure)
Start scanning the application
Monitor authorization state throughout the scan; re-authenticate if authorization state changes
Example: JSON POST AuthN / JWT token AuthZ
POST credentials to a login endpoint as a JSON payload
Extract the JWT token from the response to the successful login attempt
Visit a protected page; include the token in an Authorization header
Scan the application (scan the application paths identified by the spider and/or API specifications provided)
Re-authenticate if scan requests start receiving 403 Forbidden responses (e.g., because the token expired)
A bit more detail on the associated phases:
Authentication (AuthN) Phase
The first step in authenticated scanning is to identify the Authentication (AuthN) mechanism used by your application.
That is, how does a user (or machine client) prove to the application that they are who they say they are?
Mechanisms vary from form or JSON-encoded POSTS directly to the application to complex AuthN flows with 3rd party identity providers (e.g., OAuth 2.0 flows with vendors such as Auth0).
Authorization (AuthZ) Phase
Once login / identity verification has been conducted, how does the client demonstrate that authority to perform the requested action?
In many applications, the application or 3rd-party provider will supply an authorization (AuthZ) mechanism such as a token (e.g., Bearer or JWT) and/or cookie(s) to the client which can then be supplied with subsequent requests to the application.
HawkScan's authorization configuration instructs the scanner how to extract the AuthZ mechanisms from an application response and how to send them (e.g., in headers or in a message body) on subsequent requests to the application.
Determining Authenticated State Phase
Once the scanner has obtained AuthZ credentials, the scanner will perform a 'pre-flight' check of the AuthZ state by visiting a configured path (app.authentication.testPath) within the application and checking for the expected response.
For instance, this configuration could perform a GET to a protected /admin page (with accompanying AuthZ token) and check for a 200 OK response; if a 200 OK is received, the check passes and the scanner proceeds.
Staying Authenticated
Once the scan begins, the scanner compares the application's response messages to the regex values you've configured in the loggedInIndicator and loggedOutIndicator fields of the app.authentication block on an ongoing basis.
Tailoring these values to how your application responds in logged in and logged out scenarios allows the scanner to recognize when its authenticated state has lapsed, at which point it will re-authenticate and then continue the scan.
Getting Started with Configuration
Authenticated Scanning Template Builder
The Setup Authenticated Scanning function generates authentication configuration based on the combination of AuthN and AuthZ used by your application.
Simply run Setup Authenticated Scanning from the options menu for the application in question and answer the prompts -- configuration snippets will then be generated which you can then add to the original stackhawk.yml file that was generated in the Add an App workflow.
In the following example, the Template Builder generates example yaml for the external token injection mechanism:
AuthN / AuthZ Matrices
See below for common AuthN and AuthZ scenarios and their associated configurations.
AuthN
AuthN Method | Configuration -- Local login endpoint | Configuration -- Remote login endpoint |
Externally-obtained token (custom shell script, etc) | ||
Multi-Step Authentication (chain of GETs and/or POSTs) | ||
OAuth 2.0 - client credentials flow | ||
OAuth 2.0 (resource owner password) |
Notes:
to authenticate with an external endpoint (auth endpoint is not on the same host that's configured in app.host in stackhawk.yml), use either:
authentication.external (use an external script or program to log into remote endpoint; inject the resulting AuthZ mechanism as an environment variable at scanner runtime)
AuthZ
AuthZ Method | Configuration |
cookie(s) | |
token (Bearer, JWT) | |
API Key | |
tokens and cookies | |
Basic Auth Header (only) | |
Basic Auth Header + other mechanisms | hawkAddOn.replacer (for Basic Auth) + other configs (cookies, tokens, scripts) |
Notes:
Omit tokenExtraction when the token is being injected via external injection or hawkAddOn.replacer
Use app.sessionTokens for cookies that need to be tracked in addition to another mechanism (such as a token that's being acquired through AuthN login or injection)
Additional Information
Documentation:
Visit our user documentation, examples repo, and Help Center for further details around:
3rd-party OAuth 2.0 flows (Auth0, Okta, Firebase, KeyCloak)
Example scripts and their associated YAML configs
Example vulnerable applications to test against
Videos:
Template Builder Demo
Start-to-finish demo using the Template Builder to authenticate to and scan the javaspringvulny application:
Authenticated Scanning Workshop
For a Deep Dive into authenticated scanning with HawkScan, see this recording of our Technical Workshop on Authenticated Security Testing: