Create an authenticated Dynamic Analysis with the REST API
You can use the Dynamic Analysis API to create an analysis that uses auto-login, basic authentication, form-based login with a login script, and custom HTTP headers. The scan generates a unique identifier (UUID) for your specified authentication method.
To complete this task:
-
Enter values for the
scan_config_request,auth_configuration, andscheduleproperties in the JSON file. -
Send the following request:
http --auth-type=veracode_hmac POST "https://api.veracode.com/was/configservice/v1/analyses" < input.json
These are examples of the different types of authentication you can use with a Dynamic Analysis:
Auto-login
{
"name": "Name-of-Your-Dynamic-Analysis",
"scans": [
{
"scan_config_request": {
"target_url": {
"url": "http://www.example.com",
"http_and_https": true,
"directory_restriction_type": "DIRECTORY_AND_SUBDIRECTORY"
},
"auth_configuration": {
"authentications": {
"AUTO": {
"username": "{your_username}",
"password": "{your_password}",
"authtype": "AUTO"
}
}
}
}
}
],
"schedule": {
"now": true,
"duration": {
"length": 1,
"unit": "DAY"
}
}
}
Client Certificate
{
"name": "Name-of-Your-Dynamic-Analysis",
"scans": [
{
"scan_config_request": {
"target_url": {
"url": "http://www.example.com",
"http_and_https": true,
"directory_restriction_type": "DIRECTORY_AND_SUBDIRECTORY"
},
"auth_configuration": {
"authentications": {
"CERT": {
"cert_name": "{certificate_name.p12}",
"password": "{your_password}",
"base64_pkcs12": "{base64 encoded p12 cert}",
"authtype": "CERT"
}
}
}
}
}
],
"schedule": {
"now": true,
"duration": {
"length": 1,
"unit": "DAY"
}
}
}
Basic Authentication
{
"name": "Name-of-Your-Dynamic-Analysis",
"scans": [
{
"scan_config_request": {
"target_url": {
"url": "http://www.example.com",
"http_and_https": true,
"directory_restriction_type": "DIRECTORY_AND_SUBDIRECTORY"
},
"auth_configuration": {
"authentications": {
"BASIC": {
"username": "{your_username}",
"password": "{your_password}",
"authtype": "BASIC"
}
}
}
}
}
],
"schedule": {
"now": true,
"duration": {
"length": 1,
"unit": "DAY"
}
}
}
Form-Based Login with Login Script
Before you add the crawl script to the API body, you must escape the JSON. If you need assistance, you can use a JSON escape utility, such as JSON formatter.
{
"name": "Name-of-Your-Dynamic-Analysis",
"scans": [
{
"scan_config_request": {
"target_url": {
"url": "http://www.example.com",
"http_and_https": true,
"directory_restriction_type": "DIRECTORY_AND_SUBDIRECTORY"
},
"auth_configuration": {
"authentications": {
"FORM": {
"script_file": "{example_login_script.side}",
"login_script_data": {
"script_body": "{script_as_escaped_JSON}",
"script_type": "SELENIUM"
},
"authtype": "FORM"
}
}
}
}
}
],
"schedule": {
"now": true,
"duration": {
"length": 1,
"unit": "DAY"
}
}
}
Custom Headers
The following example is for a Dynamic Analysis of an API.
{
"name": "Name-of-Your-Dynamic-Analysis",
"scans": [
{
"scan_config_request": {
"target_url": {
"url": "http://www.example.com",
"http_and_https": true
},
"auth_configuration": {
"authentications": {
"HEADER": {
"authtype": "HEADER",
"headers": [
{
"key": "{header_name}",
"value": "{your_custom_header}",
"url": "{optional_target_url}"
},
{
"key": "{header_name}",
"value": "{your_custom_header}",
"url": "{optional_target_url}"
}
]
}
}
},
"api_scan_setting": {
"spec_id": "{API_specification_ID}"
}
},
"internal_scan_configuration": {
"enabled": false,
"endpoint_id": "",
"gateway_id": ""
}
}
],
"visibility": {
"setup_type": "SEC_LEADS_ONLY",
"team_identifiers": []
},
"schedule": {
"now": true,
"duration": {
"length": 1,
"unit": "DAY"
}
}
}
Authentication Method ID
When you run a Dynamic Analysis scan, it generates a unique identifier (UUID) for your specified authentication method.
To retrieve the UUID for a scan, send a GET to /v1/scans/{scan_id}/configuration, where scan_id is the ID of your scan.
In the response, the UUID is the value of the authentication_id property.
You do not need to include the authentication_id property when you send a request.