The challenges of authenticated scanningDynamic application security testing (DAST) tools such as Invicti, also called black-box vulnerability scanners, work by checking for vulnerabilities across all accessible parts of a web application. To do this, the scanner first needs to identify the attack surface of the target application by visiting every link it finds in web pages and making requests to all input points in detected web assets. This includes the URLs used to reach these assets. While crawling web pages that are accessible to all users is relatively easy, password-protected web pages have always posed a challenge for security scanners due to the variety of methods used to authorize page access. Beyond basic login forms, sites may use OAuth, set custom session cookies, require single sign-on (SSO), and so on. Even with form-based authentication, the login form may, for example, use non-standard form elements, require additional fields (maybe to select a department from a drop-down list), use Captcha verification, or span multiple pages. And if the scanner can’t log in, it can’t test the page for vulnerabilities.
Do you really need to scan websites that require authentication?The question may arise, though, how important it really is to run authenticated web security scans. Back in the days of static web pages, anything that needed the user to log in may have been considered inherently secure simply because it wasn’t publicly accessible. Nowadays, we have complex web applications that require authentication to access most (or all) of their functionality. Authenticated scans can add important value to your overall security, revealing exploitable vulnerabilities and other issues, such as missing patches, weak sharing permissions, and general misconfigurations. In a sense, authenticated scans reveal the real security status of your web application. Even more importantly, the reason for adding authentication in the first place is to protect access to something valuable, like personal data, admin operations, or financial information. Far from being less attractive to cybercriminals, protected resources are actually prime targets for attackers, so it is critical to configure your scanner to crawl and test all web pages that malicious hackers may try to breach.
netsparker.authnamespace. The custom script editor is intuitive and interactive. The authentication page is loaded in the embedded browser and you can right-click page elements to insert their corresponding CSS code directly into the editor panel. After that, you can modify the code as necessary.
Authentication forms that span multiple pages are a common challenge when configuring scanners. For example, you might have one page to enter the user name and then another page to provide the password. The script editor handles this easily, allowing you to define separate pages to match the login sequence. On the first page, you would instruct the script editor to insert a username and then click the submit button. On the second page, you can then direct the editor to insert a password and click the button to finish the login sequence.