Authenticated Scanning
Test your application as a logged-in user to find authorization flaws.
Why Authenticated Scanning?
Many vulnerabilities are only exploitable by authenticated users:
- IDOR (Insecure Direct Object References)
- Privilege escalation
- Business logic flaws
- Authorization bypass
- Session management issues
Authentication Methods
Bearer Token
For JWT or API token authentication:
{
"auth": {
"type": "bearer",
"token": "${HACKERBOT_PUBLIC_TOKEN}"
}
}Cookie-Based
For session cookie authentication:
{
"auth": {
"type": "cookie",
"cookies": {
"session": "${SESSION_COOKIE}",
"csrf_token": "${CSRF_TOKEN}"
}
}
}Login Form
Automatic login via form submission:
{
"auth": {
"type": "form",
"login_url": "https://example.com/login",
"username_field": "email",
"password_field": "password",
"username": "${TEST_USER}",
"password": "${TEST_PASSWORD}"
}
}Custom Headers
For API key or custom authentication:
{
"auth": {
"type": "headers",
"headers": {
"X-API-Key": "${API_KEY}",
"X-User-ID": "test-user-123"
}
}
}Credential Vault
Store credentials securely in our encrypted vault:
- Go to Settings → Credentials
- Click Add Credential
- Name it (e.g., "Staging Test User")
- Enter credential values
- Reference in scans using
${CREDENTIAL_NAME}
🔒 Credentials are encrypted at rest and never logged or exposed in reports.
Session Validation
Configure how to detect session expiration:
{
"auth": {
"type": "bearer",
"token": "${TOKEN}",
"validation": {
"url": "/api/me",
"expect_status": 200,
"re_auth_on_failure": true
}
}
}Best Practices
- ⚠️ Use dedicated test accounts, not production users
- ⚠️ Limit test account permissions to reduce blast radius
- ⚠️ Rotate credentials regularly
- ⚠️ Don't use admin accounts for automated scanning
- ⚠️ Monitor test account activity for anomalies