Skip to main content

Authentication methods for web application scans

Veracode can use several authentication methods to access your web application for Dynamic Analysis scanning. You can configure the following authentication methods in the Veracode Platform.

Auto-Login

This method is selected by default as it is the common method for most applications, including simple login forms that have a username, password, and login button. Auto-login also works for browser-generated logins, such as basic authentication and NTLMv2. For NTLMv2, you can include the NetBIOS domain separated from the username with a backslash, for example, DOMAIN\username. You can combine auto-login authentication with basic authentication.

Login Script

This is an advanced option that you only need to configure for complex sites on which auto-login fails.

If your application uses a customized or complex form for its login, you can add login script authentication to auto-login authentication. You can also replace auto-login authentication with an explicit login script. You must record your login sequence script with Selenium IDE using supported Selenium commands. Save your JSON in the SIDE file format and upload it in the Login Script section. HTML file format is also supported, however, you must upload test suites in the SIDE file format. Optionally, you can also provide a logout script.

note

If you do not use Selenium, the scripts might not work.

Record and upload a login sequence that Veracode uses to automatically log in to your application. Use this method for multistep login sequences that contain one or more authentication methods, such as username, password, and PIN. You can also combine login script authentication with basic authentication.

If you use login script authentication and have uploaded a login script, you can download it at any time to verify its information. Go to the Dynamic Analysis Summary page and select the URL that has the login script. In the URL Configuration section, click the link in the Login Script field to download the file.

An advanced use case you can use is the combination of login-script and basic authentication methods.

Client Certificate

If you want to scan an application that requires a certificate, you upload the certificate and associated password to enable Veracode to access that application. The certificate file must be in the PFX or P12 format.

Basic Authentication (Browser-generated)

The basic authentication method provides information for a site that uses basic or browser-generated authentication where the browser prompts you for credentials in its own popup window. Enter the username and password you want Veracode to use. Optionally, you can enter the domain name. You can use this method alone or in combination with the auto-login or login script methods.

If your site uses both site uses both web page-based login (auto-login) and a browser-generated login (basic authentication/NTLMv2), but with different credentials for each method, you can use a combination of auto-login and basic authentication methods. This advanced use case is not typical. Veracode uses the username and password you enter for auto-login for web page-based login, and the username, password, and domain you provide for basic authentication is for browser-generated logins and NTLMv2.

Custom HTTP Header

HTTP headers enable the client to pass additional information with each HTTP request to the server. An HTTP header consists of its case-insensitive name followed by a colon (:) and by its value. The server ignores any whitespace before the value.

If your scan requires a specific HTTP header key-value pair to authenticate or correctly view the pages of your website, you can specify custom headers. Each custom header must contain a header name and a header value. You can specify any header name except header names that are forbidden to be specified programmatically, such as the cookie or host header.

The following header names are forbidden:

  • Accept-Charset
  • Accept-Encoding
  • Access-Control-Request-Headers
  • Access-Control-Request-Method
  • Connection
  • Content-Length
  • Cookie
  • Cookie2
  • Date
  • DNT
  • Expect
  • Feature-Policy
  • Host
  • Keep-Alive
  • Origin
  • Proxy-
  • Sec-
  • Referer
  • TE
  • Trailer
  • Transfer-Encoding
  • Upgrade
  • Via

If you specify a URL for matching purposes, Veracode only sends the header to URLs and their subdirectories that match this specified URL. If you do not specify a URL, Veracode sends the header to the target URL listed in the Dynamic Analysis and any of its subdirectories.

You can use wildcards in the URL. For example:

  • https://www.veracode.com matches https://www.veracode.com/home, but not http://www.veracode.com or https://veracode.com
  • https://*.veracode.com matches both https://api.veracode.com and https://veracode.com