Skip to main content

Configure authentication methods for web application scans

Veracode can use several authentication methods to scan your web applications. You can configure the following authentication methods in the Veracode Platform to provide access to Veracode to scan your web applications.

Configure form-based login

Use form-based authentication when your web application includes a login form that requires more than just a username and password.

Veracode recommends modifying the default configurations as follows:

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Scans and Analysis > DAST Essentials.
  3. Locate the web application you want to configure. In the Actions column, select Configure.
  4. Select the Authentication tab.
  5. In the Form-based authentication section, under Sign-in URL, enter the URL of the login form.
  6. To use AI-assisted login, switch on the AI Login toggle. AI-assisted login uses generative AI to complete complex login forms. Use AI-assisted login when auto-login fails or when the login flow requires more than just a username and password.
  7. Under Username and Password, enter the login credentials for the URL.

Configure login scripts

Use login script authentication if your application uses a customized or multi-step login form. You can record and upload a login sequence that Veracode uses to automatically log in to your application. This method is best for multi-step login sequences that include one or more authentication factors, such as username, password, or PIN. You can also combine login script authentication with basic authentication methods.

note

If you do not use Selenium IDE to record your script, it might not work as expected.

To complete this task:

  1. Record your login sequence script with Selenium IDE using supported Selenium commands. Save the JSON script in the .side file format, which is the standard format used by Selenium IDE.
  2. To upload the file, sign in to the Veracode Platform.
  3. Select Scans and Analysis > DAST Essentials.
  4. Locate the web application you want to configure. In the Actions column, select Configure.
  5. Select the Authentication tab.
  6. In the Enterprise mode authentication settings section, for Log in script, upload the file. Veracode supports both HTML and SIDE file formats, but recommends using SIDE for test suites and multi-step sequences. You can also provide a logout script if it is necessary.

Download a login script

If you use login script authentication and have uploaded a login script, you can download it to verify its information.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Scans and Analysis > DAST Essentials.
  3. Locate the web application from which you want to download the login script. In the Actions column, select Configure.
  4. Select the Authentication tab.
  5. In the Enterprise mode authentication settings section, from Log in script, download the file.

You can watch this video tutorial to learn how to create login scripts using Selenium IDE.

Use form-based login with a login script to create an authenticated DAST essentials analysis with the REST API.

Configure scanner variables

You configure scanner variables in the Veracode Platform to define information that you can reference in your login scripts for web application scans.

Configure client certificates

Add a client certificate and associated password if your application requires a certificate for login. The certificate file must be in PFX or P12 format, equivalent to the PKCS#12 standard, which stores the private key, leaf certificate, and intermediate certificates in one encrypted, password-protected file.

The PFX or P12 format is a private certificate that contains both public and private keys required for encryption and secure authentication. You can generate a PFX or P12 file with the openssl pkcs12 -export command using your certificate (.crt or .cer) and private key (.key or .pem), or with web-based tools.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Scans and Analysis > DAST Essentials.
  3. Locate the web application you want to configure. In the Actions column, select Configure.
  4. Select the Authentication tab.
  5. In the Enterprise mode authentication settings section, under Client Certificate, drag the certificate file from your File Explorer into the Certification field in the browser window. Alternatively, browse to and select the certificate file manually. Ensure the file is in PKCS#12 format, typically with a .pfx or .p12 extension.
  6. For Password, enter the certificate password to decrypt the private key in the .p12 file.

Generate a PFX or P12 file with OpenSSL

The following method is common for command-line users. It uses the OpenSSL utility.

To complete this task:

  1. Locate your certificate and key files. Make sure you have:

    • Certificate file (<filename>.crt or <filename>.cer)
    • Private key file (<filename>.key or <filename>.pem)

  2. Navigate to your OpenSSL installation directory if needed, then open a command prompt (or an OpenSSL command prompt).

  3. Use the following command:

    openssl pkcs12 -export -out <file-name>.pfx -inkey <path-to-private-key> -in <path-to-certificate>

  4. Enter and confirm a password for your PFX or P12 file when prompted.

Last updated on