DAST Scanning

Running Authenticated DAST Scans

9min
soos currently supports 5 options of running authenticated dast scans always make sure to properly protect the credentials used to authenticate by ensuring they are stored in a secure key store the examples below are specific to calling the docker script directly, but are supported for all dast ci/cd integrations oauth authentication to perform dast scans against oauth applications use the following parameters to allow soos to perform a request to get the access token before executing the analysis \ oauthtokenurl="https //example com/token" \ oauthparameters="client id\ value, client secret\ value, grant type\ value" bearer token authentication to perform dast scans for applications using bearer tokens, pass a valid bearer token using the bearertoken parameter this will pass “ authorization bearer \<token> ” on each request do not include the “bearer” text, only the token value \ bearertoken="\<my bearer token>" request header (non bearer) authentication to perform dast scans for applications using non bearer token authentication, such as custom authentication header/value, pass the custom header use the requestheaders parameter single header \ requestheaders="'authorization \<my auth key>'" multiple headers \ requestheaders="'authorization \<my auth key>, custom header \<my value>'" form based authentication to perform dast scans for applications that use form based authentication, use the following approaches to fill out and submit a login form before each test is performed for this type of authentication there are 3 login form variants that are can be configured through the parameter authformtype please note that forms that use a captcha as well as 2fa/mfa based workflows are not supported with this approach simple form based authentication \ authformtype=simple all login related fields are displayed at once, on one form wait for password form based authentication \ authformtype=wait for password the password field is only displayed once the username is provided multi page form based authentication \ authformtype=multi page the password field is only displayed after the username has been entered and submit/next button has been clicked to navigate to a second form form based authentication parameters parameter description authloginurl url to the login page authformtype login form flow type simple , wait for password , or multi page authusername the username that will be used to login (it will be used to populated the authusernameformfield ) authusernamefield the form field that will be populated with the authusername value authpassword the password that will be used to login (it will be used to populate the authpasswordfield ) authpasswordfield the form field that will be populated with the authpassword value authsubmitfield the form element name/id which is used to submit the form authsecondsubmitfield the second submit button element name/id to use with multi page login flows authdelaytime the delay time (in seconds) to wait for the page to load after performing actions in the form use with wait for password and multi page login flows example \ authloginurl="https //example com/login" \ authformtype="wait for password" \ authusername="my user" \ authusernamefield="username" \ authpassword="my password" \ authpasswordfield="password" \ authsubmitfield="login" \ authdelaytime="7"