SOOS currently supports 5 ways to run an authenticated DAST scan. Always make sure to properly protect the credentials used to authenticate by ensuring they are stored in a secure key store.

The examples below are specific to calling the Docker script directly, review the SOOS CI/CD system documentation for specific CI/CD system parameters.

OAuth token URL

If you are performing a DAST scan against an OAuth application use the following to allow SOOS to perform a request to get the access_token before executing the analysis.

Example:

--oauthTokenUrl="https://example.com/token" 
--oauthParameters="client_id:value, client_secret:value, grant_type:value"

Use a Bearer Token

If your application uses a bearer token to authenticate you can pass a valid bearer token using the bearerToken parameter. This will pass “Authorization: Bearer <token>” on each request. Note: do not include the “Bearer” text, only the token value.

Example:

--bearerToken="<my-bearer-token>"


Pass Custom Headers

If your application uses a non-bearer token authentication value or custom authentication header/value, you can pass a custom header using the requestHeaders parameter.

Example (one header):

--requestHeaders="'authorization:<my-auth-key>'"


Example (multiple headers):

--requestHeaders="'authorization:<my-auth-key>, custom-header:<my-value>'"


Set Cookies

If your application relies on cookies for authorization, you can pass cookies using the requestCookies parameter.

Example (one cookie):

--requestCookies="'my-cookie:my-cookie-value'"


Example (multiple cookies):

--requestCookies="'my-cookie:my-cookie-value, my-second-cookie:my-second-cookie-value'"


Login using a Form

If your application does not have a long running auth token or cookie that you can rely on, then you can configure the script to fill out and submit a login form before each test is performed.

Parameters:

  • authLoginURL - the URL to the login page

  • authUsername - the username that will be used to login (it will be used to populate the form field identified by authUsernameField

  • authUsernameField - the form field that will be populated with the authUsername value

  • authPassword - the password that will be used to login (it will be used to populate the form field identified by authPasswordField

  • authPasswordField - the form field that will be populated with the authPassword value

  • authSubmitField - the form element name/id which is used to submit the form.

Example:

--authLoginURL="https://example.com/login"
--authUsername="my-user"
--authPassword="my-password"
--authUsernameField="userName"
--authPasswordField="password"
--authSubmitField="login"