Create an authenticated Dynamic Analysis with the REST API
You can use the Dynamic Analysis API to create an analysis that uses auto-login, basic authentication, form-based login with a login script, and custom HTTP headers. The scan generates a unique identifier (UUID) for your specified authentication method.
To complete this task:
-
Enter values for the
scan_config_request,auth_configuration, andscheduleproperties in the JSON file. -
Send the following request:
http --auth-type=veracode_hmac POST "https://api.veracode.com/was/configservice/v1/analyses" < input.json
These are examples of the different types of authentication you can use with a Dynamic Analysis:
Auto-login
{
"name": "Name-of-Your-Dynamic-Analysis",
"scans": [
{
"scan_config_request": {
"target_url": {
"url": "http://www.example.com",
"http_and_https": true,
"directory_restriction_type": "DIRECTORY_AND_SUBDIRECTORY"
},
"auth_configuration": {
"authentications": {
"AUTO": {
"username": "{your_username}",
"password": "{your_password}",
"authtype": "AUTO"
}
}
}
}
}
],
"schedule": {
"now": true,
"duration": {
"length": 1,
"unit": "DAY"
}
}
}
Client Certificate
{
"name": "Name-of-Your-Dynamic-Analysis",
"scans": [
{
"scan_config_request": {
"target_url": {
"url": "http://www.example.com",
"http_and_https": true,
"directory_restriction_type": "DIRECTORY_AND_SUBDIRECTORY"
},
"auth_configuration": {
"authentications": {
"CERT": {
"cert_name": "{certificate_name.p12}",
"password": "{your_password}",
"base64_pkcs12": "{base64 encoded p12 cert}",
"authtype": "CERT"
}
}
}
}
}
],
"schedule": {
"now": true,
"duration": {
"length": 1,
"unit": "DAY"
}
}
}
Basic Authentication
{
"name": "Name-of-Your-Dynamic-Analysis",
"scans": [
{
"scan_config_request": {
"target_url": {
"url": "http://www.example.com",
"http_and_https": true,
"directory_restriction_type": "DIRECTORY_AND_SUBDIRECTORY"
},
"auth_configuration": {
"authentications": {
"BASIC": {
"username": "{your_username}",
"password": "{your_password}",
"authtype": "BASIC"
}
}
}
}
}
],
"schedule": {
"now": true,
"duration": {
"length": 1,
"unit": "DAY"
}
}
}
Form-Based Login with Login Script
Before adding the crawl script to the API body, you must escape the JSON. If you need assistance, use the JSON escape utility available from https://jsonformatter.org.
{
"name": "Name-of-Your-Dynamic-Analysis",
"scans": [
{
"scan_config_request": {
"target_url": {
"url": "http://www.example.com",
"http_and_https": true,
"directory_restriction_type": "DIRECTORY_AND_SUBDIRECTORY"
},
"auth_configuration": {
"authentications": {
"FORM": {
"script_file": "{example_login_script.side}",
"login_script_data": {
"script_body": "{script_as_escaped_JSON}",
"script_type": "SELENIUM"
},
"authtype": "FORM"
}
}
}
}
}
],
"schedule": {
"now": true,
"duration": {
"length": 1,
"unit": "DAY"
}
}
}
Custom Headers
The following example is for a Dynamic Analysis of an API.
{
"name": "Name-of-Your-Dynamic-Analysis",
"scans": [
{
"scan_config_request": {
"target_url": {
"url": "http://www.example.com",
"http_and_https": true
},
"auth_configuration": {
"authentications": {
"HEADER": {
"authtype": "HEADER",
"headers": [
{
"key": "{header_name}",
"value": "{your_custom_header}",
"url": "{optional_target_url}"
},
{
"key": "{header_name}",
"value": "{your_custom_header}",
"url": "{optional_target_url}"
}
]
}
}
},
"api_scan_setting": {
"spec_id": "{API_specification_ID}"
}
},
"internal_scan_configuration": {
"enabled": false,
"endpoint_id": "",
"gateway_id": ""
}
}
],
"visibility": {
"setup_type": "SEC_LEADS_ONLY",
"team_identifiers": []
},
"schedule": {
"now": true,
"duration": {
"length": 1,
"unit": "DAY"
}
}
}
Authentication Method ID
When you run a Dynamic Analysis scan, it generates a unique identifier (UUID) for your specified authentication method.
To retrieve the UUID for a scan, send a GET to /v1/scans/{scan_id}/configuration, where scan_id is the ID of your scan.
In the response, the UUID is the value of the authentication_id property.
You do not need to include the authentication_id property when you send a request.