Configure authentication methods for web application scans
Veracode can use several authentication methods to scan your web applications. You can configure the following authentication methods in the Veracode Platform to provide access to Veracode to scan your web applications.
Configure form-based login
Use form-based authentication when your web application includes a login form that requires more than just a username and password.
We recommend modifying the default configurations as follows:
To complete this task:
- Sign in to the Veracode Platform.
- Select Scans and Analysis > DAST Essentials.
- Locate the web application you want to configure. In the Actions column, select Configure.
- Select the Authentication tab.
- In the Form-based authentication section, under Sign-in URL, enter the URL of the login form.
- To use AI-assisted login, turn on the Enable AI Login toggle.
- Under Username and Password, enter the login credentials for the URL.
- To include additional information during login, configure scanner variables and enable them for AI-assisted login.
AI-assisted login
AI-assisted login is a feature that enables web application scans to authenticate automatically by navigating complex login flows using generative AI. AI-assisted login reduces the need to create and maintain custom login scripts for applications with multi-step or dynamic authentication processes. Multifactor authentication (MFA) is not supported by AI-assisted login.
Use AI-assisted login if your application uses authentication flows that are not supported by basic username and password configuration and include:
- Multi-step login processes, such as entering a username on one page and a password on a subsequent page.
- Login forms that require additional inputs beyond username and password, such as business unit, department, or security questions.
- Dynamic authentication flows that vary based on user type or other conditions.
When AI-assisted login is enabled, the AI agent:
- Analyzes the login page and related authentication screens.
- Identifies interactive elements such as input fields, buttons, and navigation controls.
- Completes the authentication flow using the credentials and scanner variables you configure.
Your data is not used to train AI models.
After a successful login, the authentication sequence is saved and reused for subsequent scans. The AI agent is not invoked unless authentication fails or the login flow changes.
If your application requires additional inputs beyond a username and password, configure scanner variables for each required value and enable them for AI-assisted login. The AI agent uses these values to populate the additional authentication fields.
Configure login scripts
Use login script authentication if your application uses a customized or multi-step login form. You can record and upload a login sequence that Veracode uses to automatically sign in to your application. This method is best for multi-step login sequences that include one or more authentication factors, such as username, password, or PIN. You can also combine login script authentication with basic authentication methods.
We recommend using tools such as Chrome DevTools Recorder, Playwright, or Cypress to capture the desired browser interactions. You can then manually convert these recordings or test files into the required .side file format for use as login or crawl scripts. For detailed instructions on the .side file structure and supported commands.
If you do not use Selenium IDE to record your script, it might not work as expected.
To complete this task:
- Record your login sequence script with Selenium IDE. Save the JSON script in the
.sidefile format, which is the standard format used by Selenium IDE. - To upload the file, sign in to the Veracode Platform.
- Select Scans and Analysis > DAST Essentials.
- Locate the web application you want to configure. In the Actions column, select Configure.
- Select the Authentication tab.
- In the Enterprise mode authentication settings section, for Log in script, upload the file. Veracode supports both HTML and SIDE file formats, but recommends using SIDE for test suites and multi-step sequences. You can also provide a logout script if it is necessary.
Example login scripts
We provide the following example Selenium scripts that demonstrate how to record a login sequence.
To use the example login scripts as templates for your scripts:
- Copy all JSON from the example.
- Paste the JSON into a text file.
- Save the text file with the
.sideextension. - Open the SIDE file in the Selenium IDE or a text editor.
- Update the commands and values.
Example script: sign in with credentials on the same page
The following script demonstrates signing in to a web application where the username and password fields are on the same page.
The script commands run in the following order:
- Opens the URL for the web application.
- Waits for the sign-in page to load.
- Enters the username.
- Enters the password.
- Selects the sign-in button to sign in.
- Waits for an element to load, which indicates successful sign in.
{
"id": "b66324ad-1350-4277-85f1-c48b3800a868",
"version": "2.0",
"name": "Login",
"url": "<appURL>",
"tests": [{
"id": "577b18f4-5b2f-49e8-9fc3-e320cd8f00fa",
"name": "Login",
"commands": [{
"id": "03d62bf6-8784-48cc-b319-30e1c809ab11",
"comment": "",
"command": "open",
"target": "</pathToLogin>",
"targets": [],
"value": ""
}, {
"id": "81b9dc4d-7c78-49f9-bc4c-9e2186625169",
"comment": "",
"command": "waitForElementVisible",
"target": "id=<usernameField>",
"targets": [],
"value": "30000"
}, {
"id": "53c5ed70-6548-4e39-b456-d0e5502945d4",
"comment": "",
"command": "type",
"target": "id=<usernameField>",
"targets": [],
"value": "<username>"
}, {
"id": "1b55d2a4-e472-48e6-822d-a5b54a2986d9",
"comment": "",
"command": "type",
"target": "id=<passwordField>",
"targets": [],
"value": "<password>"
}, {
"id": "da24efdf-cdd3-4858-b9f8-52e0666b6d73",
"comment": "",
"command": "click",
"target": "id=<loginButton>",
"targets": [],
"value": ""
}, {
"id": "566c3651-194c-4621-bc87-7f5cb64356fe",
"comment": "",
"command": "waitForElementVisible",
"target": "id=<elementOnSuccessfulLoginPage>",
"targets": [],
"value": "30000"
}]
}],
"suites": [{
"id": "e17f2325-4ac8-46d3-8f25-7b087a41d356",
"name": "Default Suite",
"persistSession": false,
"parallel": false,
"timeout": 300,
"tests": ["577b18f4-5b2f-49e8-9fc3-e320cd8f00fa"]
}],
"urls": ["<appUrl>"],
"plugins": []
}
Example script: sign in with credentials on different pages
The following script demonstrates signing in to a web application where the username and password fields are on separate pages.
The script commands run in the following order:
- Opens the URL for the web application.
- Waits for the sign-in page to load.
- Enters the username.
- Selects the sign-in button to open the password page.
- Enters the password.
- Selects the sign-in button to sign in.
- Waits for an element to load, which indicates successful sign in.
{
"id": "b66324ad-1350-4277-85f1-c48b3800a868",
"version": "2.0",
"name": "Login",
"url": "<appUrl>",
"tests": [{
"id": "577b18f4-5b2f-49e8-9fc3-e320cd8f00fa",
"name": "Login",
"commands": [{
"id": "03d62bf6-8784-48cc-b319-30e1c809ab11",
"comment": "",
"command": "open",
"target": "</pathToLogin>",
"targets": [],
"value": ""
}, {
"id": "81b9dc4d-7c78-49f9-bc4c-9e2186625169",
"comment": "",
"command": "waitForElementVisible",
"target": "id=<usernameField>",
"targets": [],
"value": "30000"
}, {
"id": "53c5ed70-6548-4e39-b456-d0e5502945d4",
"comment": "",
"command": "type",
"target": "id=<usernameField>",
"targets": [],
"value": "<username>"
}, {
"id": "d2ba43a8-e109-415a-a2be-0b19e9ffef75",
"comment": "",
"command": "click",
"target": "id=<loginButton>",
"targets": [],
"value": ""
}, {
"id": "4f9104fd-0f7f-4aeb-885f-b27b1eca4363",
"comment": "",
"command": "waitForElementVisible",
"target": "id=<passwordField>",
"targets": [],
"value": "30000"
}, {
"id": "1b55d2a4-e472-48e6-822d-a5b54a2986d9",
"comment": "",
"command": "type",
"target": "id=<passwordField>",
"targets": [],
"value": "<password>"
}, {
"id": "da24efdf-cdd3-4858-b9f8-52e0666b6d73",
"comment": "",
"command": "click",
"target": "id=<loginButton>",
"targets": [],
"value": ""
}, {
"id": "566c3651-194c-4621-bc87-7f5cb64356fe",
"comment": "",
"command": "waitForElementVisible",
"target": "id=<elementOnSuccessfulLoginPage>",
"targets": [],
"value": "30000"
}]
}],
"suites": [{
"id": "e17f2325-4ac8-46d3-8f25-7b087a41d356",
"name": "Default Suite",
"persistSession": false,
"parallel": false,
"timeout": 300,
"tests": ["577b18f4-5b2f-49e8-9fc3-e320cd8f00fa"]
}],
"urls": ["<appUrl>"],
"plugins": []
}
Example script: sign in using multifactor authentication
The following script demonstrates signing in to a web application with multifactor authentication (MFA) enabled using a TOTP scanner variable.
The script commands run in the following order:
- Opens the URL for the web application.
- Waits for the sign-in page to load.
- Enters the username.
- Enters the password.
- Selects the button to sign in.
- Waits for the TOTP field for two-step authentication to load.
- Enters the TOTP seed from the specified scanner variable.
- Selects the submit button to sign in with the TOTP seed.
- Waits for an element to load, which indicates successful sign in.
{
"id": "68c1e8b0-d794-4b37-a7c6-793eb8a434dc",
"version": "2.0",
"name": "Login_TOTP",
"url": "<appURL>",
"tests": [{
"id": "d084a794-2ca2-48ce-bb5c-a4638eeb1f94",
"name": "Login",
"commands": [{
"id": "8b2550d6-ee29-4230-9ccd-f44798a2407a",
"comment": "",
"command": "open",
"target": "<loginPath>",
"targets": [],
"value": ""
}, {
"id": "439e6617-c4d8-49d7-8073-54f638aafc21",
"comment": "",
"command": "waitForElementPresent",
"target": "id=<usernameField>",
"targets": [],
"value": "30000"
}, {
"id": "3c0db2ff-db10-4fcd-8d43-a2c7438e8e1e",
"comment": "",
"command": "type",
"target": "id=<usernameField>",
"targets": [],
"value": "<username>"
}, {
"id": "ee4e1cc9-f9ff-4119-ad3e-b3d3cda39824",
"comment": "",
"command": "type",
"target": "id=<passwordField>",
"targets": [],
"value": "<password>"
}, {
"id": "55f3d219-a84f-471d-a13e-41638ad396dc",
"comment": "",
"command": "click",
"target": "id=<loginButton>",
"targets": [],
"value": ""
}, {
"id": "9840bd4c-52b8-4df8-9b8c-dc7c3bf71b6e",
"comment": "",
"command": "waitForElementPresent",
"target": "id=<totpcodeField>",
"targets": [],
"value": "30000"
}, {
"id": "14b8ff3c-05e8-4dbb-a824-2d6dcf39988d",
"comment": "",
"command": "type",
"target": "id=<totpcodeField>",
"targets": [],
"value": "${TOTP_SECRET}"
}, {
"id": "7c0231b6-84f6-4229-9d0b-928f8df5a378",
"comment": "",
"command": "click",
"target": "id=submit",
"targets": [],
"value": ""
}, {
"id": "5218f117-7594-45f9-b0fe-31ac08144ddf",
"comment": "",
"command": "waitForElementPresent",
"target": "id=<elementOnSuccessfulLoginPage>",
"targets": [],
"value": "30000"
}]
}],
"suites": [{
"id": "34ea279e-bdb6-4c97-b562-1c06635c7898",
"name": "Default Suite",
"persistSession": false,
"parallel": false,
"timeout": 300,
"tests": ["d084a794-2ca2-48ce-bb5c-a4638eeb1f94"]
}],
"urls": ["<appURL>"],
"plugins": []
}
Download a login script
If you use login script authentication and have uploaded a login script, you can download it to verify its information.
To complete this task:
- Sign in to the Veracode Platform.
- Select Scans and Analysis > DAST Essentials.
- Locate the web application from which you want to download the login script. In the Actions column, select Configure.
- Select the Authentication tab.
- In the Enterprise mode authentication settings section, from Log in script, download the file.
You can watch this video tutorial to learn how to create login scripts using Selenium IDE.
Use form-based login with a login script to create an authenticated DAST essentials analysis with the REST API.
Configure scanner variables
Create scanner variables in the Veracode Platform to define information that you can reference in your Selenium scripts for web application scans. The variables consist of a reference key and value. You typically create scanner variables that define URL sign in credentials you want to keep safe and reuse in multiple login scripts.
You can also reference the variables in scripts for scriptable request modification (SRM) authentication for API scans.
Before you begin:
If you want to create a variable that defines a time-based one-time password (TOTP) secret for signing in to a URL that requires multifactor authentication (MFA), ensure you have the TOTP secret.
Multifactor authentication (MFA) is not supported by AI-assisted login.
To complete this task:
- Sign in to the Veracode Platform.
- Select Scans and Analysis > DAST Essentials.
- Locate the target you want to configure. In the Actions column, select Configure.
- Select the Authentication tab.
- In the Enterprise mode authentication settings section, under Scanner variables, add a reference key and value. For Reference Key, enter the variable key (for example,
My_password_key). For Value, enter the variable value. When the login script runs the command that references the variable, it passes this value. - To indicate that the variable defines a TOTP secret for multifactor authentication, select TOTP seed.
- To use the variable with AI to complete the login form, select the Utilize in AI-Assisted Login checkbox. Before selecting this checkbox, you must enable AI-Login in form-based authentication. AI-assisted login uses generative AI to configure variables and complete complex login forms.
- Optionally, select Add Another to create additional variables.
Obtain a TOTP secret
Before you begin:
- You have installed and configured a multifactor authentication tool for the URLs you want to scan.
To complete this task:
- Sign in to your web application. A window opens and displays your authentication code or a QR code.
- Locate the TOTP secret. For help with locating the TOTP secret, see the documentation for your authentication tool.
- Copy the TOTP secret and add it to your scanner variable or save it to a secure, temporary location.
Configure client certificates
Add a client certificate and associated password if your application requires a certificate for login. The certificate file must be in PFX or P12 format, equivalent to the PKCS#12 standard, which stores the private key, leaf certificate, and intermediate certificates in one encrypted, password-protected file.
The PFX or P12 format is a private certificate that contains both public and private keys required for encryption and secure authentication. You can generate a PFX or P12 file with the openssl pkcs12 -export command using your certificate (.crt or .cer) and private key (.key or .pem), or with web-based tools.
A PKCS#12 container uses AES-256 encryption for stored keys and certificates (the PBES2 standard), SHA-256 for message authentication codes (MAC), and a high iteration count to strengthen password-based key derivation.
To complete this task:
- Sign in to the Veracode Platform.
- Select Scans and Analysis > DAST Essentials.
- Locate the web application you want to configure. In the Actions column, select Configure.
- Select the Authentication tab.
- In the Enterprise mode authentication settings section, under Client Certificate, drag the certificate file from your File Explorer into the Certification field in the browser window. Alternatively, browse to and select the certificate file manually. Ensure the file is in
PKCS#12format, typically with a.pfxor.p12extension. - For Password, enter the certificate password to decrypt the private key in the
.p12file.
Generate a PFX or P12 file with OpenSSL
The following method is common for command-line users. It uses the OpenSSL utility.
To complete this task:
-
Locate your certificate and key files. Make sure you have:
- Certificate file (
<filename>.crtor<filename>.cer) - Private key file (
<filename>.keyor<filename>.pem)
- Certificate file (
-
Navigate to your OpenSSL installation directory if needed, then open a command prompt (or an OpenSSL command prompt).
-
To generate the file, run:
openssl pkcs12 -export -out <file-name>.pfx -inkey <path-to-private-key> -in <path-to-certificate> -
Enter and confirm a password for your PFX or P12 file when prompted.