Authenticated scanning has always posed a challenge for automated web application security solutions. Netsparker provides an intuitive visual editor for authentication scripts to help you bring accurate and detailed vulnerability scanning to every website and application in your environment. This article shows why you should definitely know and use this feature.
The Challenges of Authenticated Scanning
Dynamic application security testing (DAST) tools such as Netsparker, also called black-box vulnerability scanners, work by checking for vulnerabilities across all accessible parts of a web application. To do this, the scanner first needs to identify the attack surface of the target application by visiting every link it finds in web pages and making requests to all input points in detected web assets. This includes the URLs used to reach these assets.
While crawling web pages that are accessible to all users is relatively easy, password-protected web pages have always posed a challenge for security scanners due to the variety of methods used to authorize page access. Beyond basic login forms, sites may use OAuth, set custom session cookies, require single sign-on (SSO), and so on. Even with form-based authentication, the login form may, for example, use non-standard form elements, require additional fields (maybe to select a department from a drop-down list), use Captcha verification, or span multiple pages. And if the scanner can’t log in, it can’t test the page for vulnerabilities.
Do You Really Need to Scan Websites That Require Authentication?
The question may arise, though, how important it really is to run authenticated web security scans. Back in the days of static web pages, anything that needed the user to log in may have been considered inhere ..
Support the originator by clicking the read the rest link below.
