Authentication
Before following the instructions below, ensure that your application and authenticated resources are accessible to the Bright engine, either directly from the Internet or via a Repeater.
Introduction
The Bright authentication capabilities allow you to scan all the login-protected resources within your target application or API. If you need to scan an application or API with some authenticated pages, you first need to configure Bright with the correct authentication method(s) and valid credentials to reach each one when running a scan easily.
Creating an authentication object enables Bright to reach complete scan coverage of the target application or API during the security testing. The authentication setup enables you to test access to the authenticated resources covered by the created object before using it in a scan, easily determine the configuration failures, and fix them.
You can enable Bright to get access to an authenticated resource by using any of the following authentication options:
- Recorded browser-based form authentication is a quick and visual way of creating authentication flows. It allows recording an authentication session using a built-in Authentication Recorder. Users are also allowed to use the Chrome recorder.
- Manual browser-based form authentication - is a simplified option of the form authentication method. Specify the relevant fields on login pages with the corresponding valid credentials to be entered into those fields. Using this data, Bright automatically completes the form like you would to gain access to the protected pages. You can also configure a browser-based authentication object for multi-step login forms.
- Header authentication - the most straightforward method of authentication used for static header authentication tokens that are generated outside of Bright and will not expire during a scan.
- OpenID Connect (OAuth) is the authentication method used to configure the standard OAuth 2.0 flow, which requires the use of client or user secrets. This method relies on the authentication performed by an OpenID Connect Provider to verify a user's identity.
- Custom API authentication call is the authentication method used to configure a custom authentication object. Easily create a single or multi-stage authentication flow to enable the Bright engine to access the authenticated resources. During the authentication object configuration, you can also create templates to extract dynamic information from the previous steps, which can be easily performed using the String Interpolation Syntax.
- NTLM authentication - the authentication method used to establish a connection between a user’s workstation and a corresponding network that uses the NTLM protocol.
Note:
If you need to get access to a scan target via a Repeater using the HMAC authorization, see Using Repeater Scripts.
Updated about 2 months ago