Authenticated Scanning for Front-End Apps

This guide will walk you through the steps to set up authenticated domain scanning in Aikido, ensuring thorough and secure assessments.

This feature is not available on Free Plans.

Use Cases

Ensure comprehensive security assessments for protected areas of your website.
Identify vulnerabilities in authenticated sections of your domain.

Setting up authentication on a domain

Step 1: Go to the Domains Overview and open the action menu for a domain of your choice by clicking the triple dots. Select Authenticate Domain.

Step 2: Fill in the URL and email/password for the domain authentication. Click Test to let Aikido check whether it can access the domain with those credentials.

Step 3. Once the test has been succeeded, you can Confirm Authentication. Aikido will do a thorough scan and all results will appear in Aikido.

Scan credentials are securely stored using PKCS1 encryption

Authentication Options

Fill in the URL and email/password for the domain authentication. Click Test to let Aikido check whether it can access the domain with those credentials.

2FA is currently not supported. We advice to disable 2FA for the testing accounts, or for the set of IP addresses Aikido uses to connect to your website.
Microsoft / Google SSO is currently not supported. As a workaround, you can manually authenticate and pass a valid session using the Cookie header via custom headers.
Okta is supported if you disable 2FA for the account
Is your case not supported? Let us know via the chat and we will look into it!

Aikido will attempt to submit the form using the following rules:

Find a visible button or input field with type=submit while ignoring popular OAuth options like Google and Facebook
Find button based on the label or text. Looks for text equal or similar to: login, log in, submit, sign in, .. It does so in multiple languages.
Find button based on set of HTML ID's, for example id=form-submit
Find first visible button on page

Custom Headers

If your endpoints accepts a fixed key, cookie or token which should not change after creation, you can add it as a custom header via this option.

Use-cases:

Cookies: Set the Cookie header.
```
Cookie: sessionId=38afes7a8
```

JWT Bearer token: Set the Authorization header
```
Authorization: Bearer <token>
```

Troubleshooting Authentication Issues

Aikido scanner will use a fixed set identifiers to determine the username and password fields. Check that your input fields id or name parameters have one of the following values for the email or username field.

"email", "username", "Username", "login-email", "EmailOrUsername", 
"UserNameOrEmail", "username_login", "txtUsername", "user_email", "email-input'

Password field are found by looking for input fields with password type.

input[type="password"]

Submit buttons are found by looking for buttons or input fields with type submit.

button[type="submit"]
input[type="submit"]

If you still encounter problems, please don't hesitate to reach out to support.

Last updated 1 month ago

Was this helpful?