DAST Scanning
Running Authenticated DAST Scans
9 min
soos currently supports 5 options of running authenticated dast scans always make sure to properly protect the credentials used to authenticate by ensuring they are stored in a secure key store the examples below are specific to calling the docker script directly, but are supported for all dast ci/cd integrations oauth authentication to perform dast scans against oauth applications use the following parameters to allow soos to perform a request to get the access token before executing the analysis \ oauthtokenurl="https //example com/token" \ oauthparameters="client id\ value, client secret\ value, grant type\ value" bearer token authentication to perform dast scans for applications using bearer tokens, pass a valid bearer token using the bearertoken parameter this will pass “ authorization bearer \<token> ” on each request do not include the “bearer” text, only the token value \ bearertoken="\<my bearer token>" request header (non bearer) authentication to perform dast scans for applications using non bearer token authentication, such as custom authentication header/value, pass the custom header use the requestheaders parameter single header \ requestheaders="'authorization \<my auth key>'" multiple headers \ requestheaders="'authorization \<my auth key>, custom header \<my value>'" form based authentication to perform dast scans for applications that use form based authentication, use the following approaches to fill out and submit a login form before each test is performed for this type of authentication there are 3 login form variants that are can be configured through the parameter authformtype please note that forms that use a captcha as well as 2fa/mfa based workflows are not supported with this approach simple form based authentication \ authformtype=simple all login related fields are displayed at once, on one form wait for password form based authentication \ authformtype=wait for password the password field is only displayed once the username is provided multi page form based authentication \ authformtype=multi page the password field is only displayed after the username has been entered and submit/next button has been clicked to navigate to a second form form based authentication parameters true false 237false unhandled content type false unhandled content type false unhandled content type false unhandled content type false unhandled content type false unhandled content type false unhandled content type false unhandled content type false unhandled content type false unhandled content type false unhandled content type false unhandled content type false unhandled content type false unhandled content type false unhandled content type false unhandled content type false unhandled content type false unhandled content type false unhandled content type false unhandled content type example \ authloginurl="https //example com/login" \ authformtype="wait for password" \ authusername="my user" \ authusernamefield="username" \ authpassword="my password" \ authpasswordfield="password" \ authsubmitfield="login" \ authdelaytime="7"