Authenticated API Scanning for REST/GraphQL
This guide will walk you through the steps to set up authenticated domain scanning in Aikido, ensuring thorough and secure assessments.
This feature is only available on Pro and Scale Plans
Use Cases
Ensure comprehensive security assessments for protected areas of your website.
Identify vulnerabilities in authenticated sections of your APIs.
Setting up authentication on a domain
Step 1: Go to the Domains Overview and open the action menu for a REST/ GraphQL API domain of your choice by clicking the triple dots. Select Authenticate Domain.
Step 2: Select your preferred option to authenticate.
Authentication Options
These can serve as alternatives when you want to use MFA for authentication.
Login via Form
Fill in the URL and email/password for the domain authentication. Click Test to let Aikido check whether it can access the domain with those credentials.
Aikido will attempt to submit the form using the following rules:
Find a visible button or input field with
type=submit
while ignoring popular OAuth options like Google and FacebookFind button based on the label or text. Looks for text equal or similar to: login, log in, submit, sign in, .. It does so in multiple languages.
Find button based on set of HTML ID's, for example
id=form-submit
Find first visible button on page
Custom Headers
If your API accepts a fixed API key of some sorts which should not change after creation, you can add it as a custom header via this option.
OAuth Client Credentials
This option can be used when you want to bypass MFA. Aikido makes a request to the provided login URL which follows the OAuth spec for a Client Credentials flow. This means that we'll make a POST request to the configured login url, with grant_type
set to client_credentials
and a basic authorization header containing the client_id and client_secret as the username and password respectively.