Ostorlab offers support for performing authenticated scans on both the Mobile application, Web application and the backend servers. Credentials can be set at scan creation using the "Add Test Credentials" menu.
Web App Authentication with puppeteer script / Chrome recorder
To authenticate the Web application, Ostorlab supports uploading Puppeteer scripts that will be executed during the scan.
To generate the Puppeteer script, you can use the Chrome Devtool
Once the record is ready, you need to export it as a
Scan credentials step, you add a script block and upload the exported script.
Complex authentication schemes for mobile applications
Complex authentication schemes like OTP or the random numerical pad are either automated using Appium scripts or manually performed for one-offs by an Ostorlab support member.
If your application requires a custom authentication scheme, please get in touch with email@example.com for advice.
These workflows can be automated using custom Appium scripts. The script integration is for the moment done by Ostorlab team to review code before integrating it into future scan runs.
Mobile applications Authentication with Certificate
Ostorlab supports authenticating a mobile application using a user certificate.
Scan credentials step, you add a certificate block, and upload your certificate. The certificate must in the PEM format.
The certificate will be installed on the devices before running the dynamic analysis.