Implementing real-world authentication scenarios in your scans is now made easy
We are excited to announce our new dynamic authentication token generation feature, which helps you implement real-world authentication scenarios in your scans with just a few easy steps.
This feature is available for REST and GraphQL APIs.
Supported Authentication Methods:
- AWS Cognito
- Basic
- cURL & cURL Sequence
- Digest
- GraphQL
- Headers
- HTTP
- OAuth (Client Credentials, User Password)
- Webdriver
- Custom workflows involving multiple HTTP requests and Webdriver actions
Why?
Static credentials could lead to incomplete and unrealistic scans, overlooking potential vulnerabilities. By automatically generating fresh credentials at the start of every DAST scan, we ensure a more dynamic and thorough assessment of your API security. This feature allows your security team to simulate different user profiles, offering a comprehensive evaluation from various security perspectives, be it administrators or standard users.
With this feature, we aim to provide you with the following benefits:
- Generate authentication credentials automatically: Start every DAST scan with fresh, automatically generated credentials. Whether it's tokens or other forms of authentication, we've got you covered.
- Run scans with multiple user profiles: Simulate different user levels in your scans – from admins to standard users.
We take it a step further by seamlessly integrating token generation and application into your overall security workflow. Additionally, you can
- Track every step of the authentication process with our comprehensive logs.
- Manage and automatically refresh tokens based on their TTL, or configure manually if needed.
Getting started
Here's how you can quickly set it up:
- In the left-hand sidebar, click Security Scans.
- Select your scan.
- In the scan view, click on the Settings tab.
- Go to Authentification under Scan configuration:
And that's it! Set up the authentication method that corresponds to your organization.
With this new feature, we hope you find it simpler than ever to implement real-world authentication scenarios in your scans. Try it out for yourself, and let us know what you think in our Discord community!
💡 Check out more product updates below:
- Support for Insomnia collections, WP-JSON schema, Escape's public API, and additional business logic security tests
- What’s new for enterprise
- Compliance matrix product announcement
*** This is a Security Bloggers Network syndicated blog from Escape - The API Security Blog authored by Alexandra Charikova. Read the original post at: https://escape.tech/blog/dynamic-authentication-token-generation-feature/