Authenticated Domain Scanning

This guide will walk you through the steps to set up authenticated domain scanning in Aikido, ensuring thorough and secure assessments.

This feature is only available on Pro and Scale Plans.
Option is only available for self-built domains (scans via ZAP)

Use Cases

Ensure comprehensive security assessments for protected areas of your website.
Identify vulnerabilities in authenticated sections of your domain.

Setting up authentication on a domain

Step 1: Go to the Domains Overview and open the action menu for a domain of your choice by clicking the triple dots. Select Authenticate Domain.

Step 2: Fill in the URL and email/password for the domain authentication. Click Test to let Aikido check whether it can access the domain with those credentials.

Step 3. Once the test has been succeeded, you can Confirm Authentication. Aikido will do a thorough scan and all results will appear in Aikido.

Supported Cases

Email or username and password login forms
Multi step login forms with email or username and password (forms where the password field is not visible until an email address is provided)
2FA is currently not supported.

Is your case not supported? Let us know via chat and we will look into it!

Identifiers

Our scanner looks for a few things on the pages to recognize the email/username input field and login buttons. You can find a list of identifiers here.

Username/Email input field:
We look for input fields with one of these ids:

"email", "username", "Username", "login-email", "EmailOrUsername", "UserNameOrEmail", "username_login", "txtUsername", "user_email", "email-input'

If no input field is found, we look for any input field with one of these names:

"email", "username", "userid", "userName", "uid", "uname"

Allowing IP addresses for DAST & Surface monitoring

Slack notifications