DAST Scanning

Running Authenticated DAST Scans

10min

SOOS currently supports 5 options of running authenticated DAST scans. Always make sure to properly protect the credentials used to authenticate by ensuring they are stored in a secure key store.

The examples below are specific to calling the Docker script directly, but are supported for all DAST CI/CD integrations.

OAuth Authentication

To perform DAST scans against OAuth applications use the following parameters to allow SOOS to perform a request to get the access_token before executing the analysis.

--oauthTokenUrl="https://example.com/token" --oauthParameters="client_id:value, client_secret:value, grant_type:value"

Bearer Token Authentication

To perform DAST scans for applications using bearer tokens, pass a valid bearer token using the --bearerToken parameter. This will pass “Authorization: Bearer <token>” on each request.

Do not include the “Bearer” text, only the token value.

--bearerToken="<my-bearer-token>"

Request Header (Non-Bearer) Authentication

To perform DAST scans for applications using non-bearer token authentication, such as custom authentication header/value, pass the custom header use the --requestHeaders parameter.

Single Header:

--requestHeaders="'authorization:<my-auth-key>'"

Multiple Headers:

--requestHeaders="'authorization:<my-auth-key>, custom-header:<my-value>'"

Cookie Based Authentication

To perform DAST scans for applications using cookie based authentication, use the --requestCookies parameter.

Single Cookie:

--requestCookies="'my-cookie:my-cookie-value'"

Multiple Cookies:

--requestCookies="'my-cookie:my-cookie-value, my-second-cookie:my-second-cookie-value'"

Form Based Authentication

To perform DAST scans for applications that use form based authentication, use the following approaches to fill out and submit a login form before each test is performed.

For this type of authentication there are 3 login form variants that are can be configured through the parameter --authFormType.

Please note that forms that use a captcha as well as 2FA/MFA based workflows are not supported with this approach.

Simple Form Based Authentication

--authFormType=simple - all login related fields are displayed at once, on one form.

Wait for Password Form Based Authentication

--authFormType=wait_for_password - the password field is only displayed once the username is provided.

Multi Page Form Based Authentication

--authFormType=multi_page- the password field is only displayed after the username has been entered and submit/next button has been clicked to navigate to a second form.

Form Based Authentication Parameters

Parameter

Description

--authLoginURL

URL to the login page.

--authFormType

Login form flow type simple, wait_for_password, or multi_page.

--authUsername

The username that will be used to login (it will be used to populated the authUsernameFormField).

--authUsernameField

The form field that will be populated with the authUsername value.

--authPassword

The password that will be used to login (it will be used to populate the authPasswordField).

--authPasswordField

The form field that will be populated with the authPassword value.

--authSubmitField

The form element name/ID which is used to submit the form.

--authSecondSubmitField

The second submit button element name/ID to use with multi_page login flows.

--authDelayTime

The delay time (in seconds) to wait for the page to load after performing actions in the form. Use with wait_for_password and multi_page login flows.

Example:

--authLoginURL="https://example.com/login" --authFormType="wait_for_password" --authUsername="my-user" --authUsernameField="userName" --authPassword="my-password" --authPasswordField="password" --authSubmitField="login" --authDelayTime="7"



Updated 25 Feb 2025
Doc contributor
Did this page help you?
PREVIOUS
Filtering DAST Scan Rules
NEXT
Excluding URLs From Being Scanned
Docs powered by Archbee