Skip to content

Headers Authentication with Escape

Description

The 'Headers' authentication preset is a straightforward, manual authentication method:

  • Manual Token Injection: Authentication is achieved by manually injecting tokens or credentials into the request headers. No authentication request is necessary.
  • Static Credentials: User credentials are static and defined in advance, making setup simple.
  • Optional Cookies: Cookies can be injected as well, directly encoded in the Cookie header or one by one in the cookies key.
  • Token Expiry Consideration: A key aspect to consider is that since tokens are manually set, they may expire, necessitating regular manual updates to maintain access.

This preset is ideal for scenarios where authentication can be handled via predefined headers, but users should be mindful of the need to regularly update tokens or credentials to avoid access issues.

Examples

presets:
-   type: headers
    users:
    -   username: user1
        main_user: false
        headers:
            Authorization: Bearer user1Token
    -   username: user2
        main_user: false
        cookies:
            session_id: '1234567890'
        headers:
            Authorization: Bearer user2Token

Extensive Configuration

Property Type Default Description
type * Const[headers] headers
users * List[HeadersUserPreset] A list of users with basic credentials to create

Objects

HeadersUserPreset

Property Type Default Description
basic string null The basic to attach Reach the Login Page and attack to the HTTP requests sent for this user.
cookies Dict[string, string] null Optional cookies injected during the authentication process and in authentified requests.
digest string null The digest to attach Reach the Login Page and attack to the HTTP requests sent for this user.
headers * Dict[string, string] The headers of the user.
main_user boolean false When running a frontend DAST scan, this indicates that the scanner must use this user when crawling. There must be only one main user per scan. If none is provided, a random user will be selected.
query_parameters Dict[string, string] null Optional query parameters injected during the authentication process and in authentified requests.
username * string The name of the user.