Configure authentication methods for web application scans
Veracode can use several authentication methods to scan your web applications. You can configure the following authentication methods in the Veracode Platform to provide access to Veracode to scan your web applications.
Configure form-based login
Use form-based authentication when your web application includes a login form that requires more than just a username and password.
Veracode recommends modifying the default configurations as follows:
To complete this task:
- Sign in to the Veracode Platform.
- Select Scans and Analysis > DAST Essentials.
- Locate the web application you want to configure. In the Actions column, select Configure.
- Select the Authentication tab.
- In the Form-based authentication section, under Sign-in URL, enter the URL of the login form.
- To use AI-assisted login, switch on the AI Login toggle. AI-assisted login uses generative AI to complete complex login forms. Use AI-assisted login when auto-login fails or when the login flow requires more than just a username and password.
- Under Username and Password, enter the login credentials for the URL.
Configure login scripts
Use login script authentication if your application uses a customized or multi-step login form. You can record and upload a login sequence that Veracode uses to automatically log in to your application. This method is best for multi-step login sequences that include one or more authentication factors, such as username, password, or PIN. You can also combine login script authentication with basic authentication methods.
If you do not use Selenium IDE to record your script, it might not work as expected.
To complete this task:
- Record your login sequence script with Selenium IDE using supported Selenium commands. Save the JSON script in the
.side
file format, which is the standard format used by Selenium IDE. - To upload the file, sign in to the Veracode Platform.
- Select Scans and Analysis > DAST Essentials.
- Locate the web application you want to configure. In the Actions column, select Configure.
- Select the Authentication tab.
- In the Enterprise mode authentication settings section, for Log in script, upload the file. Veracode supports both HTML and SIDE file formats, but recommends using SIDE for test suites and multi-step sequences. You can also provide a logout script if it is necessary.
Download a login script
If you use login script authentication and have uploaded a login script, you can download it to verify its information.
To complete this task:
- Sign in to the Veracode Platform.
- Select Scans and Analysis > DAST Essentials.
- Locate the web application from which you want to download the login script. In the Actions column, select Configure.
- Select the Authentication tab.
- In the Enterprise mode authentication settings section, from Log in script, download the file.
You can watch this video tutorial to learn how to create login scripts using Selenium IDE.
Use form-based login with a login script to create an authenticated DAST essentials analysis with the REST API.
Configure scanner variables
You configure scanner variables in the Veracode Platform to define information that you can reference in your login scripts for web application scans.
Configure client certificates
Add a client certificate and associated password if your application requires a certificate for login. The certificate file must be in PFX
or P12
format, equivalent to the PKCS#12 standard, which stores the private key, leaf certificate, and intermediate certificates in one encrypted, password-protected file.
The PFX
or P12
format is a private certificate that contains both public and private keys required for encryption and secure authentication. You can generate a PFX or P12 file with the openssl pkcs12 -export
command using your certificate (.crt
or .cer
) and private key (.key
or .pem
), or with web-based tools.
To complete this task:
- Sign in to the Veracode Platform.
- Select Scans and Analysis > DAST Essentials.
- Locate the web application you want to configure. In the Actions column, select Configure.
- Select the Authentication tab.
- In the Enterprise mode authentication settings section, under Client Certificate, drag the certificate file from your File Explorer into the Certification field in the browser window. Alternatively, browse to and select the certificate file manually. Ensure the file is in
PKCS#12
format, typically with a.pfx
or.p12
extension. - For Password, enter the certificate password to decrypt the private key in the
.p12
file.
Generate a PFX or P12 file with OpenSSL
The following method is common for command-line users. It uses the OpenSSL utility.
To complete this task:
-
Locate your certificate and key files. Make sure you have:
- Certificate file (
<filename>.crt
or<filename>.cer
) - Private key file (
<filename>.key
or<filename>.pem
)
- Certificate file (
-
Navigate to your OpenSSL installation directory if needed, then open a command prompt (or an OpenSSL command prompt).
-
Use the following command:
openssl pkcs12 -export -out <file-name>.pfx -inkey <path-to-private-key> -in <path-to-certificate>
-
Enter and confirm a password for your PFX or P12 file when prompted.