APIAikido login

Authenticated Scanning for Front-End Apps

This guide will walk you through the steps to set up authenticated domain scanning in Aikido, ensuring thorough and secure assessments.

This feature is not available on Free Plans.

Use Cases

  • Ensure comprehensive security assessments for protected areas of your website.

  • Identify vulnerabilities in authenticated sections of your domain.

Setting up authentication on a domain

Step 1: Go to the Domains Overview and open the action menu for a domain of your choice by clicking the triple dots. Select Authenticate Domain.

Domain action menu with options to scan, configure, authenticate, or delete a domain.

Step 2: Fill in the URL and email/password for the domain authentication. Click Test to let Aikido check whether it can access the domain with those credentials.

Form-based authentication setup for domain with login credentials and confirmation options.

Step 3. Once the test has been succeeded, you can Confirm Authentication. Aikido will do a thorough scan and all results will appear in Aikido.

Scan credentials are securely stored using PKCS1 encryption

Supported Cases

  • Email or username and password login forms

  • Multi step login forms with email or username and password (forms where the password field is not visible until an email address is provided)

  • Authentication via Custom headers

  • 2FA is currently not supported. We advice to disable 2FA for the testing accounts, or for the set of IP addresses Aikido uses to connect to your website.

  • Microsoft / Google SSO is currently not supported. As a workaround, you can manually authenticate and pass a valid session using the Cookie header via custom headers.

  • Is your case not supported? Let us know via the chat and we will look into it!

Troubleshooting Authentication Issues

Login via form

Aikido scanner will use a fixed set identifiers to determine the username and password fields. Check that your input fields id or name parameters have one of the following values for the email or username field.

"email", "username", "Username", "login-email", "EmailOrUsername", 
"UserNameOrEmail", "username_login", "txtUsername", "user_email", "email-input'

Password field are found by looking for input fields with password type.

input[type="password"]

Submit buttons are found by looking for buttons or input fields with type submit.

button[type="submit"]
input[type="submit"]

If you still encounter problems, please don't hesitate to reach out to support.

Last updated

Was this helpful?