Authenticated scans

Ostorlab offers support for performing authenticated scans on both the Mobile application, Web application and the backend servers. Credentials can be set at scan creation using the "Add Test Credentials" menu.

The credentials also include other test parameters like credit card data to perform test payment, address and phone number to perform test checkouts, and also Script credentials which are Javascript files created by recording a specific behavior, the scan engine will mimic the behavior to perform authentication for example.

Web App Authentication with puppeteer script / Chrome recorder

To authenticate the Web application, Ostorlab supports uploading Puppeteer scripts that will be executed during the scan. To generate the Puppeteer script, you can use the Chrome Devtool Recorder.

Once the record is ready, you need to export it as a Puppeteer script.

In the Scan credentials step, you add a script block and upload the exported script.

Complex authentication schemes for mobile applications

Complex authentication schemes like OTP or the random numerical pad are either automated using Appium scripts or manually performed for one-offs by an Ostorlab support member.

If your application requires a custom authentication scheme, please get in touch with support@ostorlab.dev for advice.

These workflows can be automated using custom Appium scripts. The script integration is for the moment done by Ostorlab team to review code before integrating it into future scan runs.

Mobile applications Authentication with Certificate

Ostorlab supports authenticating a mobile application using a user certificate. In the Scan credentials step, you add a certificate block, and upload your certificate. The certificate must in the PEM format.

The certificate will be installed on the devices before running the dynamic analysis.