We now support complex authentication in DAST scans
We all know how frustrating the authentication process can be when running DAST scans. It's one of the most common pain points our customers face, and it often becomes a roadblock that slows down testing cycles. Whether it's dealing with complex custom authentication processes or navigating the restrictions imposed by modern web apps, authentication remains one of the trickiest challenges when it comes to using a DAST tool.
Imagine this: your current provider only captures the credentials, then spins up multiple tabs, but it keeps asking you to re-authenticate across every scan. It can't even authenticate in to start scanning effectively. All it's doing is hitting our authentication page. Painful, right?
That’s why we've made several key updates to streamline even the most complex and frustrating authentication use cases. Our goal is to provide you with better flexibility and efficiency for your security testing needs.
1. Support for complex authentication scenarios
We now support more complex authentication processes through the new Browser Actions Authentication Preset. This is especially useful for scenarios where traditional authentication methods don’t work well. With Browser Actions, you can customize your authentication flow using browser actions rather than relying on Escape's AI agent. This is ideal for form-based authentication where inputs are provided directly by users.
The Browser Actions preset uses Playwright for browser automation actions, such as filling in forms and clicking buttons. By default, it extracts cookies, localStorage, and sessionStorage from the browser, injecting them into the scan engine for frontend scans. For API scans, only cookies are injected.
Key benefits:
- Customize authentication flows using direct browser actions.
- Automatically extract and inject cookies and storage (for frontend scans).
- Configure extractions and injections for specific storage needs (e.g., local/session storage).
Here is an example of the flow you can set up:
presets:
- type: browser_actions
users:
- username: frontend-user@example.com
actions:
- url: https://example.com/login
action: goto
- action: wait_page_loaded
- action: fill
auto_submit: false
locator: input[name="username"]
value: user@escape.tech
- action: fill
auto_submit: false
locator: input[name="password"]
value: password123
- action: check
locator: input[type="checkbox"]
- action: select
locator: select#country
value: France
- action: click
locator: button[type="submit"]For detailed documentation and other examples of how you can set it up, visit our docs.
Single Page Mode for Enterprise Applications
We’ve introduced a new Single Page Mode to handle use cases where enterprise applications allow only one user to be logged in at a time. This feature ensures that authentication is managed seamlessly in environments with strict session controls, eliminating the need for additional configurations or manual intervention. Once authenticated, the system will maintain that connection throughout the scan.
Automatic Reauthentication When the Tab Is Closed
For applications that automatically log users out when the tab is closed, our system now ensures that reauthentication is handled automatically. There's no need to reconfigure your DAST scan setup or manually log in again—everything is managed in the background, allowing for a smooth and uninterrupted scanning process.
Handling Applications with Single Tab Login Restrictions
In cases where applications do not allow multiple tabs to be logged in simultaneously, our updated DAST scanning process automatically manages reauthentication. This removes the hassle of managing tab states and ensures that your scan continues without the need to manually re-authenticate across multiple tabs.
The improvements we've made to our DAST scanning authentication process addressed the specific pain points our customers face, especially for complex or custom authentication systems! With these updates, you can now handle advanced authentication workflows, such as the one described above, without losing session continuity or compromising on scan effectiveness!
With these new updates, you should be able to run your DAST scans without a glitch. Let us know what you think in our Slack community or reach out if you want to see Escape DAST in action.
💡 Check out more product updates below: