Target authentication management¶
Authentication data types¶
Authentication is the procedure that validates user-provided data to confirm access.
Different authentication data types are available to users.
HTTP Basic Authentication¶
RFC 7617 defines the “Basic” HTTP authentication scheme. Credentials are transmitted as a “user ID” + “password” pair encoded using Base64.
Custom headers¶
HTTP headers allow the client and server to send additional information with a request or response. They can contain metadata and data necessary for communication between the client and server. An HTTP header consists of a case-insensitive name followed immediately by a colon and its value.
Cookie¶
Cookie is a small data fragment transmitted from a server to a client browser. The browser may retain the cookie and return it to the server with every subsequent request. Cookies are commonly used to maintain state information.
TLS certificates¶
Digital certificate verifies the authenticity of a website and allows encrypted connections to be established. By using certificates, data exchanged between users and websites, or between two systems, is protected from being intercepted and read by unauthorized parties.
Local storage¶
Web storage encompasses the software mechanisms and protocols employed by web applications for storing data in a web browser. It provides persistent data storage similar to cookies, but with significantly greater capacity and without storing information in HTTP request headers. A key characteristic of local storage is that data persists even after a browser session ends.
Interaction¶
The following operations apply to all authentication data types listed below:
- addition;
- update;
- getting;
- deletion.
These operations are available for targets via the HTTP API in the “Target” section, as well as in the dashboard.
Note
Modifying authentication data for a target does not affect existing scans.
Authentication data check¶
This check is performed via the authentication check mechanism. More information on its operation and configuration in the “Authentication in Scanned Applications” section.
Authentication data refresh¶
Periodic session refresh is performed via two authentication refresh mechanisms:
Examples¶
-
Adding an authentication refresh mechanism configuration using an HTTP request for the
http://auth-combined.stands.fuchsiatarget via aPATCH /api/targets/:idrequest.{ "authCheckingConfig": { "config": { "criteria": [ { "interval": "10s", "kind": "FAILED", "request": { "url": "http://auth-combined.stands.fuchsia/health-check" }, "responseConditions": { "statusCode": 401 }, "rounds": 1 } ] }, "enabled": true }, "regexpAuthRefresherConfig": { "config": { "request": { "body": "{\"username\":\"user2\",\"password\":\"password2\"}", "headers": { "Content-Type": "application/json" }, "method": "POST", "url": "http://auth-combined.stands.fuchsia/signin" }, "responseExtractors": [ { "extractor": "session_token=(.*);", "proxyParams": { "cookie": { "name": "session_token" }, "hostname": "auth-combined.stands.fuchsia", "port": "", "scheme": "http" } } ] }, "enabled": true } }
-
Adding an authentication refresh mechanism configuration using a browser script for the
http://juice-shop.stands.fuchsiatarget via aPATCH /api/targets/:idrequest.{ "authCheckingConfig": { "enabled": true, "config": { "criteria": [ { "kind": "PASSED", "request": { "url": "http://juice-shop.stands.fuchsia" }, "responseConditions": { "statusCode": 200 } } ] } }, "browserAuthRefresherConfig": { "enabled": true, "config": { "outputExtractors": [ { "type": "TYPE_COOKIE", "selectors": ["token"] } ], "loginScript": { "inline": "base64_file" } } } }