Authorization Options

Before starting dynamic scanning, it is important to understand the application's front-end architecture and the authorization technologies it uses.

Below are the stages of dynamic testing using DerScanner, along with tips for resolving issues at each stage:

1. Ensure network access: Before beginning the analysis, DerScanner's dynamic analyzer must have network access to the target application. If a network access error appears in the interface during the scan, check the connectivity between the DerScanner container and the target application on the port specified at the start of the scan (80 for HTTP and 443 for HTTPS by default).

2. Check for interference from security systems: Once network access is configured, ensure that all security systems (WAFs) between the DerScanner server and the target application do not interfere with the scanning process. This may involve whitelisting all request types, or temporarily disabling the security systems.

3. Configure authorization: To allow the analyzer to access the application, it must be authorized. DerScanner supports five main types of authorization:

• Login/password authorization - a basic method where the analyzer attempts to enter a login and password into detected fields on the server.
• Token-based authorization - inserts a bearer: TOKEN into the request headers.
• Header-based authorization - an advanced method allowing any custom header(s) in all outgoing requests.
• Form-based authorization - enables the analyzer to automatically retrieve a token by entering authentication credentials into a login form.
• NTLM authorization - use this option if the application uses NTLM-based authentication.

4. Enhance the analysis with an API definition: We recommend attaching the application's API definition in OpenAPI.json format to the scan. This will enable the analyzer to use requests specific to the application, significantly improving the depth of the analysis and the quality of the results obtained.

Authentication Token

To authorize via token:

1. Go to the authorization page of the app you provided in the URL to attack field.
2. Go to the developer's panel (F12 in Chromium browsers) and fill in the credentials that should be used for dynamic analysis (e.g., user/password).
3. In the developer's console, go to the Network tab.
4. In the Name window, select the option with the login request (token or login depending on the browser).
5. In the right window, go to Preview and copy the token value (access token in Chromium).
6. In the DerScanner interface, go to Scan Settings > Authorization and select Authentication token.
7. Fill in the Token field with the copied value.
8. Activate the Use ajax spider option.
9. Start scanning.

Please notice that the token validity period should cover the whole analysis duration. Otherwise, you risk getting incomplete or incorrect results.

Headers

To authorize via headers:

1. Go to the app you provided in the URL to attack field, and authorize.
2. Perform any request that requires authorization, e.g., set-cookie.
3. Go to the developer’s panel (F12 in Chromium browsers) and fill in the credentials that should be used for dynamic analysis (e.g., user/password).
4. In the developer’s console, go to the Network tab.
5. Open the request you performed at step 2.
6. Copy the headers from Request Headers.
7. In the DerScanner interface, go to Scan Settings > Authorization and select Headers.
8. Fill in the Headers field with the copied values.
9. Start scanning.

Please notice that the token validity period should cover the whole analysis duration. Otherwise, you risk getting incomplete or incorrect results.

Authorization Form

To authorize via form:

1. Go to the authorization page of the app you provided in the URL to attack field.
2. Go to the developer’s panel (F12 in Chromium browsers) and fill in the credentials that should be used for dynamic analysis (e.g., user/password).
3. In the developer’s console, go to the Network tab.
4. In the Name window, select the option with the login request (token or login depending on the browser).
5. In the right window, go to Payload and copy the login and password values (username/password in Chromium), as well as any additional fields.
6. In the web application, look for a Log Out button (or something similar).
7. Click on it with the right mouse and choose Inspect element.
8. In the developer’s panel, select the highlighted HTML code with the right mouse and choose Copy > Copy element. If you plan to authorize via a log-in message, copy the HTML code for the Log In button instead.
9. In the DerScanner interface, go to Scan Settings > Authorization and select Authorization form.
10. Fill in the POST Request Data field with the values from step 5 as a key={value} sequence. Connect multiple keys with &, e.g.,
    user={uservalue}&password={passwordvalue}&test={false}.
11. Fill in the Login/Password form name fields with the values from step 10. Taking this example:
    user={uservalue}&password={passwordvalue}&test={false}, the login form name should be user, and the password form name should be password.
12. Fill in the Login/Logout page URL fields with their respective addresses.
13. Fill in one of the fields Regex pattern in Logged in/out response with the value from step 8.
14. Start scanning.

NTLM Authorization

To authorize via NTLM:

1. In the DerScanner interface, go to Scan Settings > Authorization and select NTLM.
2. Fill in the Host, Port, and Realm fields if the authorization service is hosted separately from the target application. In most cases, these fields are optional.
3. In the Username field, enter the account login for authorization.
4. If the username input field name differs from username, specify its value in the Username Field Name field.
5. In the Password field, enter the account password for authorization.
6. If the password input field name differs from password, specify its value in the Password Field Name field.
7. Start scanning.