Authentication Reference
AuthenticationConfigurationPresets
Authentication configuration model.
| Property | Type | Default | Description |
$schema | string | null | The schema of the configuration file |
lifetime | integer | null | The token max duration in seconds. Controls how often the token refresh is triggered. When set, Escape re-executes the authentication procedure at this frequency to obtain a fresh token before the token expiration date is reached. If not provided, the token is considered valid for the duration of the scan. |
multi_user_is_fallback | boolean | false | If true, the multi-user authentication will be interpreted as a list of fallback users when authenticating the first user failed. |
presets | List[BasicPreset,BrowserActionsPreset,BrowserAgentPreset,CognitoUserpassPreset,CurlPreset,CurlSequencePreset,DigestPreset,GraphQLPreset,HTTPPreset,HeadersPreset,OAuthAuthorizationCodeBrowserPreset,OAuthClientCredentialsPreset,OAuthROPCPreset] | null | A list of presets used to easily generate procedures and users automatically following common authentication standards |
procedures | List[Procedure] | null | The list of authentication procedures to rely on when authenticating users |
proxy | string | null | An optional global proxy used for all HTTP requests |
users | List[User] | null | List of users that multiauth will generate authentications for. |
validation | boolean | null | A flag to enable or disable the generated tokens validations. Set this to false to skip the validation. Set to true by default |
Objects
AuthenticationVariable
| Property | Type | Default | Description |
name* | string | | The name of the variable |
value* | string | | The value of the variable |
BasicPreset
The 'Basic' authentication preset is designed for straightforward authentication scenarios:
- Credentials Encoding: User's credentials (username and password) are encoded in base64.
- Header Attachment: The encoded credentials are attached to the request headers.
- Authorization Header: The client sends these credentials in the Authorization header of the HTTP request.
This method provides a simple and direct way to authenticate users, without requiring additional server requests for user creation or authentication. It is best suited for scenarios where simplicity and ease of implementation are prioritized.
Note: While this method is straightforward, it's less secure compared to more advanced authentication methods.
| Property | Type | Default | Description |
type* | Const[basic] | basic | |
users* | List[BasicUserPreset] | | A list of users with basic credentials to create |
BasicUserPreset
| Property | Type | Default | Description |
allow_failure | boolean | false | If false, authentication failure for this user will fail the scan. Ignored for the main user: failures for main user are always fatal. |
basic | string | null | The basic to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
cookies | Dict[string, string] | null | Optional cookies injected during the authentication process and in authenticated requests. |
digest | string | null | The digest to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
headers | Dict[string, string] | null | Optional headers injected during the authentication process and in authenticated requests. |
main_user | boolean | false | When running a WebApp Testing scan, this indicates that the scanner must use this user when crawling. There must be only one main user per scan. If none is provided, a random user will be selected. |
password* | string | | The Basic password of the user. |
query_parameters | Dict[string, string] | null | Optional query parameters injected during the authentication process and in authenticated requests. |
role | string | null | The role of the user (e.g., admin, user). |
username* | string | | The Basic username of the user. |
BrowserActionsOperation
It is a low-level operation that is used to interact with a browser.It is used to perform actions on a browser, such as clicking, filling, and checking.
BrowserActionsOperationParameters
| Property | Type | Default | Description |
auto_extraction_urls | List[string] | null | The API URLs to auto-extract requests headers from.Extracted headers will be injected automatically into every single authenticated request sent by the scanner.This is particularly useful when authentication API scans using Browser-based authentication. |
logged_in_detector_text | string | null | The text to detect in the last page to validate the user is logged in, case-insensitive |
logged_in_detector_timeout | integer | 10 | The timeout to wait for the logged in text to be detected (in seconds) |
login_url* | string | | The URL to perform the login on |
logout_detection* | BrowserLogoutDetectionConfig | | Configuration for automatic post-login logout detection during browser authentication. |
proxy_override | string | null | An optional proxy used for this specific request, else the global proxy will be used |
stealth_mode | boolean | false | If true, the browser will use stealth mode to avoid bot detection (and a potential CAPTCHA). |
BrowserActionsPreset
The Browser Actions authentication preset is ideal for scenarios where Browser Agent authentication method falls short, as it leverages browser actions to perform login tasks. This preset is especially effective for form-based authentication where inputs are provided directly. Contrary to the Browser Agent preset, this preset does not use an AI Agent to perform the actions, but rather a browser automation actions based on Playwright actions and locators. By default, the preset automatically extracts cookies, localStorage andsessionStorage from the browser. If your scan is a Frontend scan, everything will be injected into the scanner's engine, to clone the browser behavior. If your scan is an API scan, only the cookies will be injected. If your authentication process stores credentials in local/session storage and you need to authenticate an API, be sure to configure the extractions and injections parameters accordingly.
| Property | Type | Default | Description |
auto_extraction_urls | List[string] | null | The API URLs to auto-extract requests headers from. Extracted headers will be injected automatically into every single authenticated request sent by the scanner. This is particularly useful when authentication API scans using Browser-based authentication. If left empty, the auto-extraction URLs are derived automatically from captured API traffic. |
extractions | List[BrowserExtraction] | null | The extractions used to extract from the browser like page, browser_local_storage, browser_session_storage, or browser_cookies. |
injections | Union[BrowserInjection,HTTPInjection] | null | The injection configuration used to inject the tokens into either the HTTP requests, or another browser for Frontend scans. |
logged_in_detector_text | string | null | The text to detect in the last page to validate the user is logged in, case-insensitive |
logged_in_detector_timeout | integer | 10 | The timeout to wait for the logged in text to be detected (in seconds) |
login_url* | string | | The url that presents the login form |
logout_detection* | BrowserLogoutDetectionConfig | | Configuration for automatic post-login logout detection during browser authentication. |
stealth_mode | boolean | false | If true, the browser will use stealth mode to avoid bot detection (and a potential CAPTCHA). |
type* | Const[browser_actions] | browser_actions | |
users* | List[BrowserActionsUserPreset] | | The list of users to generate tokens for. |
BrowserActionsUserPreset
| Property | Type | Default | Description |
actions* | List[CheckAction,ClickAction,ClickMailMagicLinkAction,FillAction,FillMailTOTPAction,FillTOTPAction,FocusPageAction,GotoAction,SelectAction,SleepAction,SolveCaptchaAction,WaitElementAction,WaitTextAction] | | The actions to perform on the browser |
allow_failure | boolean | false | If false, authentication failure for this user will fail the scan. Ignored for the main user: failures for main user are always fatal. |
basic | string | null | The basic to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
cookies | Dict[string, string] | null | Optional cookies injected during the authentication process and in authenticated requests. |
digest | string | null | The digest to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
headers | Dict[string, string] | null | Optional headers injected during the authentication process and in authenticated requests. |
main_user | boolean | false | When running a WebApp Testing scan, this indicates that the scanner must use this user when crawling. There must be only one main user per scan. If none is provided, a random user will be selected. |
query_parameters | Dict[string, string] | null | Optional query parameters injected during the authentication process and in authenticated requests. |
role | string | null | The role of the user (e.g., admin, user). |
username* | string | | The username of the user. |
BrowserAgentAgentic
Settings for the fully agentic browser login mode.
| Property | Type | Default | Description |
enabled | boolean | false | If true, login is driven by an agentic browser. |
instructions | string | | Optional natural-language guidance for the shared agentic login flow. Use it to describe special steps, alternate buttons, SSO branches, popups, or pages to avoid for every user of this operation. Do not include credentials in this field. |
BrowserAgentOperation
An operation that authenticates in a browser either with deterministic form filling or, when parameters.agentic.enabled is true, with an agentic browser. Use parameters.agentic.instructions for shared guidance that applies to all users, and parameters.logout_detection.instructions to explain how to confirm the session stayed authenticated.
BrowserAgentOperationParameters
| Property | Type | Default | Description |
agentic* | BrowserAgentAgentic | | Configuration for the agentic browser login mode. When disabled, login uses deterministic form detection and automated input filling. |
auto_extraction_urls | List[string] | null | The API URLs to auto-extract requests headers from.Extracted headers will be injected automatically into every single authenticated request sent by the scanner.This is particularly useful when authentication API scans using Browser-based authentication. |
logged_in_detector_text | string | null | The text to detect in the last page to validate the user is logged in, case-insensitive |
logged_in_detector_timeout | integer | 10 | The timeout to wait for the logged in text to be detected (in seconds) |
login_url* | string | | The URL to perform the login on |
logout_detection* | BrowserLogoutDetectionConfig | | Configuration for automatic post-login logout detection during browser authentication. |
proxy_override | string | null | An optional proxy used for this specific request, else the global proxy will be used |
stealth_mode | boolean | false | If true, the browser will use stealth mode to avoid bot detection (and a potential CAPTCHA). |
BrowserAgentPreset
The Browser Agent authentication preset is ideal for scenarios where traditional authentication methods fall short, as it leverages browser automation to perform login tasks. This preset is especially effective for frontend-based authentication where inputs are provided directly. By default, it uses deterministic input detection and automated field filling. If agentic.enabled is set to true, it switches to a fully agentic browser that drives the login flow with browser tools using the provided credentials, additional fields, and optional natural-language instructions. Use agentic.instructions for shared login guidance, users[].instructions for user-specific branches or post-login checks, and logout_detection.instructions to describe how Escape should recognize a successful logged-in state after authentication. By default, the preset automatically extracts cookies, localStorage and sessionStorage from the browser. If your scan is a Frontend scan, everything will be injected into the scanner's engine, to clone the browser behavior. If your scan is an API scan, only the cookies will be injected. If your authentication process stores credentials in local/session storage and you need to authenticate an API, be sure to configure the extractions and injections parameters accordingly.
| Property | Type | Default | Description |
agentic* | BrowserAgentAgentic | | Configuration for the agentic browser login mode. When disabled, authentication keeps using deterministic form detection and automated input filling. |
auto_extraction_urls | List[string] | null | The API URLs to auto-extract requests headers from. Extracted headers will be injected automatically into every single authenticated request sent by the scanner. This is particularly useful when authentication API scans using Browser-based authentication. If left empty, the auto-extraction URLs are derived automatically from captured API traffic. |
extractions | List[BrowserExtraction] | null | The extractions used to extract from the browser like page, browser_local_storage, browser_session_storage, or browser_cookies. |
injections | Union[BrowserInjection,HTTPInjection] | null | The injection configuration used to inject the tokens into either the HTTP requests, or another browser for Frontend scans. |
logged_in_detector_text | string | null | The text to detect in the last page to validate the user is logged in, case-insensitive |
logged_in_detector_timeout | integer | 10 | The timeout to wait for the logged in text to be detected (in seconds) |
login_url* | string | | The url that presents the login form |
logout_detection* | BrowserLogoutDetectionConfig | | Configuration for automatic post-login logout detection during browser authentication. |
stealth_mode | boolean | false | If true, the browser will use stealth mode to avoid bot detection (and a potential CAPTCHA). |
type* | Const[browser_agent] | browser_agent | |
users* | List[BrowserAgentUserPreset] | | The list of users to generate tokens for. |
BrowserAgentPresetAdditionalFillAction
| Property | Type | Default | Description |
auto_submit | boolean | false | If true, the field will be submitted automatically after being filled |
locator* | string | | The locator that will be used to get the value of the field |
one_by_one | boolean | false | Whether the field should be filled one character by one character, like a TOTP code |
value* | string | | The value that will be used to set the field |
BrowserAgentUserPreset
Per-user settings for browser-agent authentication.
| Property | Type | Default | Description |
additional_fields* | List[BrowserAgentPresetAdditionalFillAction] | | Additional fields to be used in the login form in the form selector:value |
allow_failure | boolean | false | If false, authentication failure for this user will fail the scan. Ignored for the main user: failures for main user are always fatal. |
basic | string | null | The basic to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
cookies | Dict[string, string] | null | Optional cookies injected during the authentication process and in authenticated requests. |
digest | string | null | The digest to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
headers | Dict[string, string] | null | Optional headers injected during the authentication process and in authenticated requests. |
instructions | string | null | Optional per-user natural-language guidance for the browser agent. Use it for role-specific prompts, post-login checks, user-specific popups, or branches that only affect this user. This field is especially useful when agentic.enabled is true. |
main_user | boolean | false | When running a WebApp Testing scan, this indicates that the scanner must use this user when crawling. There must be only one main user per scan. If none is provided, a random user will be selected. |
password* | string | | The password that will be used to auto login |
post_login_actions | List[CheckAction,ClickAction,ClickMailMagicLinkAction,FillAction,FillMailTOTPAction,FillTOTPAction,FocusPageAction,GotoAction,SelectAction,SleepAction,SolveCaptchaAction,WaitElementAction,WaitTextAction] | | The actions to perform on the browser after the login |
pre_login_actions | List[CheckAction,ClickAction,ClickMailMagicLinkAction,FillAction,FillMailTOTPAction,FillTOTPAction,FocusPageAction,GotoAction,SelectAction,SleepAction,SolveCaptchaAction,WaitElementAction,WaitTextAction] | null | A list of actions to perform on the browser before the login. Useful for edge cases like accepting cookies, etc... |
query_parameters | Dict[string, string] | null | Optional query parameters injected during the authentication process and in authenticated requests. |
role | string | null | The role of the user (e.g., admin, user). |
username* | string | | The username or email that will be used to auto login |
| Property | Type | Default | Description |
jq | string | null | The jq expression to extract the value from the session storage item |
key* | string | | The key to use for the extracted value, depending on the location. In the case of Page location, this represents a Playwright selector |
location* | BrowserLocation | | The location of the browser where the value should be extracted. |
name* | string | | The name of the variable to store the extracted value into that will be used for injection |
origin* | string | | The URL of the page, origin of the local/session storage, or cookies where the value should be extracted. |
regex | string | null | The regex to use to extract the token from the key value. By default the entire value is taken. |
BrowserInjection
| Property | Type | Default | Description |
key* | string | | The key to use for the injected token. Its usage depends on the location. |
location* | BrowserLocation | | The location of the browser where the token should be injected |
origin* | string | | The origin of the local storage or session storage where the token should be injected |
variable* | string | | The name of a variable to retrieve to create the token's value. If not provided, the token will be inferred as the first successful extraction of the procedure |
BrowserLogoutDetectionConfig
Configuration for verifying that a browser login really resulted in an authenticated session.
| Property | Type | Default | Description |
enabled | boolean | true | If true, browser-based authentication will review the post-login page to detect logout or login failure. |
instructions | string | | Optional natural-language guidance for the post-login logout detection step. Use it to describe what a healthy logged-in state looks like, which redirects or dialogs are expected, and what signals should be treated as logout or login failure. |
CheckAction
| Property | Type | Default | Description |
action* | Const[check] | check | |
allow_failure | boolean | false | Allow this action to fail without breaking authentication, defaults to False. |
locator* | string | | The Playwright Locator to select the checkbox to check |
select_first_if_multiple | boolean | false | Whether to select the first element if multiple elements are found. If false, an error will be raised. |
timeout | integer | 30 | Timeout in seconds for executing the check action |
ClickAction
| Property | Type | Default | Description |
action* | Const[click] | click | |
allow_failure | boolean | false | Allow this action to fail without breaking authentication, defaults to False. |
locator* | string | | The Playwright Locator to select the element to click on |
select_first_if_multiple | boolean | false | Whether to select the first element if multiple elements are found. If false, an error will be raised. |
timeout | integer | 30 | Timeout in seconds for executing the click action |
ClickMailMagicLinkAction
| Property | Type | Default | Description |
action* | Const[click_mail_magic_link] | click_mail_magic_link | |
allow_failure | boolean | false | Allow this action to fail without breaking authentication, defaults to False. |
email_address* | string | | The email address where the magic link will be sent.\nMust be a valid email address matching this pattern: {any_text}.{organization_id_short}@scan.escape.tech |
new_page | boolean | false | Whether to create a new page for the navigation or remain on the current page |
timeout | integer | 60 | The timeout (seconds) to wait for the page to load |
CognitoUserpassPreset
The 'Cognito User Password' preset is designed for authentication using AWS Cognito with username and password credentials:
- AWS Cognito Integration: Leverages AWS Cognito, a comprehensive user identity and data synchronization service, for authentication.
- Regional Configuration: Allows specifying the AWS region where the Cognito service is hosted, ensuring proper routing and compliance with data residency requirements.
- Client Credentials: Utilizes a client ID and client secret for secure OAuth requests within the Cognito framework.
- User Authentication: Facilitates the creation and authentication of users with a username and password.
This preset is ideal for systems that use AWS Cognito for managing user authentication, providing a seamless integration with the AWS ecosystem.
| Property | Type | Default | Description |
client_id* | string | | The client ID to use for the OAuth requests |
client_secret* | string | | The client secret to use for the OAuth requests |
region* | AWSRegion | | The region of the Cognito Service. |
type* | Const[cognito_userpass] | cognito_userpass | |
users* | List[CognitoUserpassUserPreset] | | A list of users to create |
CognitoUserpassUserPreset
| Property | Type | Default | Description |
allow_failure | boolean | false | If false, authentication failure for this user will fail the scan. Ignored for the main user: failures for main user are always fatal. |
basic | string | null | The basic to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
cookies | Dict[string, string] | null | Optional cookies injected during the authentication process and in authenticated requests. |
digest | string | null | The digest to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
headers | Dict[string, string] | null | Optional headers injected during the authentication process and in authenticated requests. |
main_user | boolean | false | When running a WebApp Testing scan, this indicates that the scanner must use this user when crawling. There must be only one main user per scan. If none is provided, a random user will be selected. |
password* | string | | The password of the user. |
query_parameters | Dict[string, string] | null | Optional query parameters injected during the authentication process and in authenticated requests. |
role | string | null | The role of the user (e.g., admin, user). |
scopes | List[string] | null | A list of scopes to request for the user. If not specified, no scope will be requested. |
username* | string | | The username of the user. |
Credentials
| Property | Type | Default | Description |
actions | List[CheckAction,ClickAction,ClickMailMagicLinkAction,FillAction,FillMailTOTPAction,FillTOTPAction,FocusPageAction,GotoAction,SelectAction,SleepAction,SolveCaptchaAction,WaitElementAction,WaitTextAction] | null | A list of actions to perform for the user when using Browser based authentication |
basic | string | null | The basic to attach to the HTTP requests sent for this user. |
body | object | null | A body to merge with the bodies of every HTTP requests sent for this user |
cookies* | List[HTTPCookie] | | A list of cookies to attach to every HTTP requests sent for this user |
digest | string | null | The digest to attach to the HTTP requests sent for this user.If your authentication looks like curl --digest -u user:password example.com, you can use this field to set the digest.In this example, the right value to set is user:password. |
headers* | List[HTTPHeader] | | A list of headers to attach to every HTTP requests sent for this user |
local_storage | Dict[string, Dict[string, string]] | null | A dictionary of origins and key values for a local storage to attach to the user when using Browser based authentication |
password | string | null | The password to attach to the HTTP requests sent for this user. See developer.mozilla.org |
post_login_actions | List[CheckAction,ClickAction,ClickMailMagicLinkAction,FillAction,FillMailTOTPAction,FillTOTPAction,FocusPageAction,GotoAction,SelectAction,SleepAction,SolveCaptchaAction,WaitElementAction,WaitTextAction] | null | A list of actions to perform on the browser after the login. Useful for edge cases like confirming login, creating a new session etc... |
pre_login_actions | List[CheckAction,ClickAction,ClickMailMagicLinkAction,FillAction,FillMailTOTPAction,FillTOTPAction,FocusPageAction,GotoAction,SelectAction,SleepAction,SolveCaptchaAction,WaitElementAction,WaitTextAction] | null | A list of actions to perform on the browser before the login. Useful for edge cases like accepting cookies, etc... |
query_parameters* | List[HTTPQueryParameter] | | A list of query parameters to attach to every HTTP requests sent for this user |
session_storage | Dict[string, Dict[string, string]] | null | A dictionary of origins and key values for a session storage to attach to the user when using Browser based authentication |
username | string | null | The username to attach to the HTTP requests sent for this user. See developer.mozilla.org |
CurlPreset
The cURL authentication preset is designed for dynamic token generation and reuse:
- cURL Command Parsing: Parses a cURL command and executes it in a secure sandboxed cURL simulator.
- Dynamic Token Extraction: Extracts the authentication token from the cURL command's HTTP response.
- Token Re-injection: Reinjects the extracted token into subsequent authenticated requests.
This preset is particularly useful for scenarios where authentication tokens are dynamically generated and need to be efficiently extracted and reused in ongoing requests.
The simulator supports a subset of arguments commonly used in cURL:
url: The URL for the HTTP request.-X, --request: Specify a custom request method to use when communicating with the HTTP server.-H, --header: Add a header to the request (can be used multiple times for multiple headers).-b, --cookie: Add a cookie to the request (can be used multiple times for multiple cookies).-d, --data, --data-ascii, --data-binary, --data-raw: Sends the specified data in a POST request.-u, --user: Specify the user and password for server authentication.-A, --user-agent: Sets the user agent string for the HTTP request.-x, --proxy: Use the specified proxy.-k, --insecure: Allow connections to SSL sites without certificates.-L, --location: Follow redirects (the maximum number of redirects is defined by --max-redirs).--max-redirs: Set the maximum number of redirections to follow for -L.
Note: The simulator does not support all cURL arguments. Adding unsupported arguments may result in an error.
| Property | Type | Default | Description |
extractions* | List[HTTPExtraction] | | The token extraction configuration used to extract the tokens from the HTTP response. |
injections* | List[HTTPInjection] | | The injection configuration used to inject the tokens into the HTTP requests. |
type* | Const[curl] | curl | |
users* | List[CurlUserPreset] | | The list of users to generate tokens for. |
CurlSequencePreset
The cURL Sequence authentication preset facilitates complex authentication flows by executing a templated sequence of cURL requests in a secure sandboxed cURL simulator:
- Templated cURL Requests: Enables the definition of a sequence of cURL requests, where each request can be templated with variables.
- Dynamic Token Extractions: Variables are dynamically extracted from the responses of these requests, allowing for sequential data dependency across requests.
- Token Re-injection: Extracted tokens or variables can be reinjected into subsequent authenticated requests.
- User-Specific Variables: Supports defining user-specific variables that can be injected into the cURL sequences.
This preset is particularly useful for complex authentication scenarios where multiple steps or interactions are required, and where each step might depend on the outcome of the previous one.
Warning: This preset requires to name your variables in order to be able to extract and inject them properly in the templates or the final injections.
The simulator supports a subset of arguments commonly used in cURL:
url: The URL for the HTTP request.-X, --request: Specify a custom request method to use when communicating with the HTTP server.-H, --header: Add a header to the request (can be used multiple times for multiple headers).-b, --cookie: Add a cookie to the request (can be used multiple times for multiple cookies).-d, --data, --data-ascii, --data-binary, --data-raw: Sends the specified data in a POST request.-u, --user: Specify the user and password for server authentication.-A, --user-agent: Sets the user agent string for the HTTP request.-x, --proxy: Use the specified proxy.-k, --insecure: Allow connections to SSL sites without certificates.-L, --location: Follow redirects (the maximum number of redirects is defined by --max-redirs).--max-redirs: Set the maximum number of redirections to follow for -L.
Note: The simulator does not support all cURL arguments. Adding unsupported arguments may result in an error.
| Property | Type | Default | Description |
injections | List[HTTPInjection] | null | Final variables injected into the authenticated requests. |
requests* | List[CurlSequenceRequestPreset] | | A sequence of curl templates used to make requests and extract variables. |
type* | Const[curl_sequence] | curl_sequence | |
users* | List[CurlSequenceUserPreset] | | The list of users to generate tokens for. |
CurlSequenceRequestPreset
| Property | Type | Default | Description |
curl* | string | | A curl template used to make a request. |
extractions | List[HTTPExtraction] | null | Variables extracted from the response that can be templated in further requests. |
CurlSequenceUserPreset
| Property | Type | Default | Description |
allow_failure | boolean | false | If false, authentication failure for this user will fail the scan. Ignored for the main user: failures for main user are always fatal. |
basic | string | null | The basic to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
cookies | Dict[string, string] | null | Optional cookies injected during the authentication process and in authenticated requests. |
digest | string | null | The digest to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
headers | Dict[string, string] | null | Optional headers injected during the authentication process and in authenticated requests. |
main_user | boolean | false | When running a WebApp Testing scan, this indicates that the scanner must use this user when crawling. There must be only one main user per scan. If none is provided, a random user will be selected. |
query_parameters | Dict[string, string] | null | Optional query parameters injected during the authentication process and in authenticated requests. |
role | string | null | The role of the user (e.g., admin, user). |
username* | string | | The arbitrary name that identifies the user. |
variables | Dict[string, string] | null | A dict of variables to inject into the cURL sequences. |
CurlUserPreset
| Property | Type | Default | Description |
allow_failure | boolean | false | If false, authentication failure for this user will fail the scan. Ignored for the main user: failures for main user are always fatal. |
basic | string | null | The basic to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
cookies | Dict[string, string] | null | Optional cookies injected during the authentication process and in authenticated requests. |
curl* | string | | The curl command that is used to fetch the tokens for this user. |
digest | string | null | The digest to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
headers | Dict[string, string] | null | Optional headers injected during the authentication process and in authenticated requests. |
main_user | boolean | false | When running a WebApp Testing scan, this indicates that the scanner must use this user when crawling. There must be only one main user per scan. If none is provided, a random user will be selected. |
query_parameters | Dict[string, string] | null | Optional query parameters injected during the authentication process and in authenticated requests. |
role | string | null | The role of the user (e.g., admin, user). |
username* | string | | The arbitrary name that identifies the user. |
DigestPreset
The Digest authentication preset implements HTTP Digest authentication.
The supported authentication method is curl --digest -u user:password example.com. In this example, the username is user and the password is password.
| Property | Type | Default | Description |
type* | Const[digest] | digest | |
users* | List[DigestUserPreset] | | A list of users with digest credentials to create |
DigestUserPreset
| Property | Type | Default | Description |
allow_failure | boolean | false | If false, authentication failure for this user will fail the scan. Ignored for the main user: failures for main user are always fatal. |
basic | string | null | The basic to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
cookies | Dict[string, string] | null | Optional cookies injected during the authentication process and in authenticated requests. |
digest | string | null | The digest to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
headers | Dict[string, string] | null | Optional headers injected during the authentication process and in authenticated requests. |
main_user | boolean | false | When running a WebApp Testing scan, this indicates that the scanner must use this user when crawling. There must be only one main user per scan. If none is provided, a random user will be selected. |
password* | string | | The Digest password of the user. |
query_parameters | Dict[string, string] | null | Optional query parameters injected during the authentication process and in authenticated requests. |
role | string | null | The role of the user (e.g., admin, user). |
username* | string | | The Digest username of the user. |
FillAction
| Property | Type | Default | Description |
action* | Const[fill] | fill | |
allow_failure | boolean | false | Allow this action to fail without breaking authentication, defaults to False. |
auto_submit | boolean | false | Whether the form should be automatically submitted after the fill action |
locator* | string | | The Playwright Locator to select the field to fill |
one_by_one | boolean | false | Whether the field should be typed one character by one character, like a TOTP code |
select_first_if_multiple | boolean | false | Whether to select the first element if multiple elements are found. If false, an error will be raised. |
timeout | integer | 30 | Timeout in seconds for executing the input filling action |
value* | string | | The value to fill in the field |
FillMailTOTPAction
| Property | Type | Default | Description |
action* | Const[fill_mail_totp] | fill_mail_totp | |
allow_failure | boolean | false | Allow this action to fail without breaking authentication, defaults to False. |
auto_submit | boolean | false | Whether the form should be automatically submitted after the fill action |
email_address* | string | | The email address where the TOTP code will be sent.\nMust be a valid email address matching this pattern: {any_text}.{organization_id_short}@scan.escape.tech |
locator* | string | | The Playwright Locator to select the field to fill |
one_by_one | boolean | false | Whether the field should be typed one character by one character, like a TOTP code |
select_first_if_multiple | boolean | false | Whether to select the first element if multiple elements are found. If false, an error will be raised. |
timeout | integer | 30 | Timeout in seconds for executing the input filling action |
FillTOTPAction
| Property | Type | Default | Description |
action* | Const[fill_totp] | fill_totp | |
allow_failure | boolean | false | Allow this action to fail without breaking authentication, defaults to False. |
auto_submit | boolean | false | Whether the form should be automatically submitted after the TOTP code is filled |
locator* | string | | The Playwright Locator to select the field to fill the TOTP code in |
secret* | string | | The secret to generate the TOTP code from |
FocusPageAction
| Property | Type | Default | Description |
action* | Const[focus_page] | focus_page | |
allow_failure | boolean | false | Allow this action to fail without breaking authentication, defaults to False. |
url_pattern* | string | | The pattern to find in the URL to focus on a page. Should be a regex allowing to match the page using Python re.findall(). |
GotoAction
| Property | Type | Default | Description |
action* | Const[goto] | goto | |
allow_failure | boolean | false | Allow this action to fail without breaking authentication, defaults to False. |
new_page | boolean | false | Whether to create a new page for the navigation or remain on the current page |
timeout | integer | 60 | The timeout (seconds) to wait for the page to load |
url* | string | | The URL to navigate to |
GraphQLPreset
The 'GraphQL' authentication preset facilitates authentication through GraphQL queries:
- GraphQL Endpoint: The authentication is performed against a specified GraphQL endpoint.
- Query Templating: Utilizes a templated GraphQL query for authentication requests.
- Variable Handling: User credentials are passed as variables within the GraphQL query.
- Token Extraction: Specifies how and where to extract authentication tokens (e.g., from the response body).
- Token Injection: Defines how to inject the extracted token into subsequent requests.
This preset is ideal for systems where authentication is managed via GraphQL APIs, allowing for flexible and powerful authentication mechanisms.
| Property | Type | Default | Description |
extractions | List[HTTPExtraction] | | The extractions of the GraphQL query containing the user credentials. |
injections | List[HTTPInjection] | | The injections of the GraphQL query containing the user credentials. |
query* | string | | The templated GraphQL inside the query field of the JSON body of the HTTP request. |
type* | Const[graphql] | graphql | |
url* | string | | The URL of the GraphQL authentication endpoint. |
users* | List[GraphQLUserPreset] | | A list of users with credentials contained in the GraphQL variables of the query |
GraphQLUserPreset
| Property | Type | Default | Description |
allow_failure | boolean | false | If false, authentication failure for this user will fail the scan. Ignored for the main user: failures for main user are always fatal. |
basic | string | null | The basic to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
cookies | Dict[string, string] | null | Optional cookies injected during the authentication process and in authenticated requests. |
digest | string | null | The digest to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
headers | Dict[string, string] | null | Optional headers injected during the authentication process and in authenticated requests. |
main_user | boolean | false | When running a WebApp Testing scan, this indicates that the scanner must use this user when crawling. There must be only one main user per scan. If none is provided, a random user will be selected. |
query_parameters | Dict[string, string] | null | Optional query parameters injected during the authentication process and in authenticated requests. |
role | string | null | The role of the user (e.g., admin, user). |
username* | string | | The name of the user. |
variables* | Dict[string, string] | | The variables of the GraphQL query containing the user credentials. |
HTTPCookie
| Property | Type | Default | Description |
domain | string | null | |
http_only | boolean | null | |
name* | string | | |
path | string | null | |
same_site | string | null | |
secure | boolean | null | |
values* | List[string] | | |
| Property | Type | Default | Description |
key* | string | | The key to use for the extracted value, depending on the location |
location* | HTTPLocation | | The location of the HTTP request where the value should be extracted |
name* | string | | The name of the variable to store the extracted value into |
regex | string | null | The regex to use to extract the token from the key value. By default the entire value is taken. |
| Property | Type | Default | Description |
name* | string | | |
values* | List[string] | | |
HTTPInjection
| Property | Type | Default | Description |
key* | string | | The key to use for the injected token. Its usage depends on the location. For headers, cookies,and query parameters, this key describes the name of the header, cookie or query parameter. For a body location, the key is the field where the token should be injected within the request bodies |
location* | HTTPLocation | | The location of the HTTP request where the token should be injected |
prefix | string | null | A prefix to prepend to the token before it is injected |
variable* | string | | The name of a variable to retrieve to create the token's value. If not provided, the token will be inferred as the first successful extraction of the procedure |
HTTPOperation
The 'HTTP Request' operation is used to send an HTTP request to a given URL. It is a versatile operation that can be used to interact with any HTTP-based API or service.
| Property | Type | Default | Description |
extractions* | List[HTTPExtraction] | | The list of extractions to run at the end of the operation.For HTTP operations, variables are extracted from the response. |
parameters* | HTTPRequestParameters | | The parameters of the HTTP request to send. At least a URL and a method must be provided. |
tech* | Const[http] | http | |
HTTPPreset
The 'HTTP' authentication preset is designed to handle authentication via structured HTTP requests:
- Structured Request: Authentication is performed through a well-defined HTTP request, including URL, method, headers, cookies, query parameters, and body.
- Dynamic Token Management: The preset handles the extraction of authentication tokens from the HTTP response and subsequently reinjects them into future requests.
- User Credentials: Supports attaching various credentials to each user, such as username, password, headers, cookies, and other request parameters.
This method is particularly effective in scenarios where authentication is managed via custom HTTP endpoints, requiring precise control over request composition and token handling.
| Property | Type | Default | Description |
extractions* | List[HTTPExtraction] | | The token extraction configuration used to extract the tokens from the HTTP response. |
injections* | List[HTTPInjection] | | The injection configuration used to inject the tokens into the HTTP requests. |
request* | HTTPRequestPreset | | The parameters of the HTTP request used to fetch the access and refresh tokens. |
type* | Const[http] | http | |
users* | List[HTTPUserPreset] | | The list of users to generate tokens for. |
HTTPQueryParameter
| Property | Type | Default | Description |
name* | string | | |
values* | List[string] | | |
HTTPRequestParameters
| Property | Type | Default | Description |
body | object | null | The body of the request. It can be a string or a JSON object. It is merged with the user credentials body if provided. If bodies of the HTTP request and of the user credentials are both JSON objects, they are merged. If the two bodies are strings, they are concatenated. If the two bodies are of different types, the body of the user credentials is used instead of this value. |
cookies* | List[HTTPCookie] | | The list of cookies to attach to the request. Cookies are merged with the user credentials cookies. It is possible to attach multiple values to a cookie. Cookie values are url-encoded before being sent. |
follow_redirects | integer | null | The number of redirects to follow |
headers* | List[HTTPHeader] | | The list of headers to attach to the request. Headers are merged with the user credentials headers. It is possible to attach multiple values to a header. |
insecure | boolean | null | If the SSL certificate should be verified |
method | HTTPMethod | POST | The HTTP method to use |
proxy_override | string | null | An optional proxy used for this specific request, else the global proxy will be used |
queryParameters* | List[HTTPQueryParameter] | | The list of query parameters to attach to the request. Query parameters are merged with the user credentials query parameters. It is possible to attach multiple values to a query parameter. Query parameter values are url-encoded before being sent. |
timeout | integer | null | The timeout of the request in seconds |
url* | string | | The URL to send the request to |
HTTPRequestPreset
| Property | Type | Default | Description |
body | object | null | The body of the request. It can be a string or a JSON object. It is merged with the user credentials body if provided. If bodies of the HTTP request and of the user credentials are both JSON objects, they are merged. If the two bodies are strings, they are concatenated. If the two bodies are of different types, the body of the user credentials is used instead of this value. |
cookies | Dict[string, string] | | The list of cookies to attach to the request. Cookies are merged with the user credentials cookies. It is possible to attach multiple values to a cookie. Cookie values are url-encoded before being sent. |
headers | Dict[string, string] | | The list of headers to attach to the request. Headers are merged with the user credentials headers. It is possible to attach multiple values to a header. |
method | HTTPMethod | POST | The HTTP method to use |
query_parameters | Dict[string, string] | | The list of query parameters to attach to the request. Query parameters are merged with the user credentials query parameters. It is possible to attach multiple values to a query parameter. Query parameter values are url-encoded before being sent. |
url* | string | | The URL to send the request to |
HTTPUserPreset
| Property | Type | Default | Description |
allow_failure | boolean | false | If false, authentication failure for this user will fail the scan. Ignored for the main user: failures for main user are always fatal. |
basic | string | null | The basic to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
body | object | null | A body to merge with the bodies of every HTTP requests sent for this user |
cookies | Dict[string, string] | | A dict representing the cookies to attach to every HTTP requests sent for this user |
digest | string | null | The digest to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
headers | Dict[string, string] | | A dict representing the headers to attach to every HTTP requests sent for this user |
main_user | boolean | false | When running a WebApp Testing scan, this indicates that the scanner must use this user when crawling. There must be only one main user per scan. If none is provided, a random user will be selected. |
password | string | null | The password to attach to the HTTP requests sent for this user. See developer.mozilla.org |
queryParameters | Dict[string, string] | | A dict of query parameters to attach to every HTTP requests sent for this user |
role | string | null | The role of the user (e.g., admin, user). |
username* | string | | The username to attach to the HTTP requests sent for this user. See developer.mozilla.org |
The 'Headers' authentication preset is a straightforward, manual authentication method:
- Manual Token Injection: Authentication is achieved by manually injecting tokens or credentials into the request headers. No authentication request is necessary.
- Static Credentials: User credentials are static and defined in advance, making setup simple.
- Optional Cookies: Cookies can be injected as well, directly encoded in the
Cookie header or one by one in the cookies key. - Token Expiry Consideration: A key aspect to consider is that since tokens are manually set, they may expire, necessitating regular manual updates to maintain access.
This preset is ideal for scenarios where authentication can be handled via predefined headers, but users should be mindful of the need to regularly update tokens or credentials to avoid access issues.
| Property | Type | Default | Description |
type* | Const[headers] | headers | |
users* | List[HeadersUserPreset] | | A list of users with basic credentials to create |
| Property | Type | Default | Description |
allow_failure | boolean | false | If false, authentication failure for this user will fail the scan. Ignored for the main user: failures for main user are always fatal. |
basic | string | null | The basic to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
cookies | Dict[string, string] | null | Optional cookies injected during the authentication process and in authenticated requests. |
digest | string | null | The digest to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
headers* | Dict[string, string] | | The headers of the user. |
main_user | boolean | false | When running a WebApp Testing scan, this indicates that the scanner must use this user when crawling. There must be only one main user per scan. If none is provided, a random user will be selected. |
query_parameters | Dict[string, string] | null | Optional query parameters injected during the authentication process and in authenticated requests. |
role | string | null | The role of the user (e.g., admin, user). |
username* | string | | The name of the user. |
OAuthAuthorizationCodeBrowserOperation
The OAuth Authorization Code operation handles the complete OAuth 2.0 Authorization Code flow. It automatically navigates to the authorization server, fills in user credentials, handles the redirect with authorization code, and exchanges the code for access tokens.
OAuthAuthorizationCodeBrowserOperationParameters
| Property | Type | Default | Description |
authorization_url* | string | | The OAuth 2.0 authorization endpoint URL with all necessary query parameters |
auto_extraction_urls | List[string] | null | The API URLs to auto-extract requests headers from.Extracted headers will be injected automatically into every single authenticated request sent by the scanner.This is particularly useful when authentication API scans using Browser-based authentication. |
client_id* | string | | OAuth client ID |
client_secret* | string | | OAuth client secret |
logged_in_detector_text | string | null | The text to detect in the last page to validate the user is logged in, case-insensitive |
logged_in_detector_timeout | integer | 10 | The timeout to wait for the logged in text to be detected (in seconds) |
login_timeout | integer | 30 | Timeout for the login process in seconds |
login_url* | string | | The URL to perform the login on |
logout_detection* | BrowserLogoutDetectionConfig | | Configuration for automatic post-login logout detection during browser authentication. |
proxy_override | string | null | An optional proxy used for this specific request, else the global proxy will be used |
redirect_uri* | string | | The redirect URI to monitor for authorization codes |
stealth_mode | boolean | false | If true, the browser will use stealth mode to avoid bot detection (and a potential CAPTCHA). |
token_url* | string | | The OAuth 2.0 token endpoint URL for exchanging authorization codes |
use_pkce | boolean | true | Whether to use PKCE for enhanced security |
OAuthAuthorizationCodeBrowserPreset
The 'OAuth Authorization Code Browser' preset implements the OAuth 2.0 Authorization Code grant type (RFC 6749, Section 4.1):
- Authorization Endpoint: Users are automatically redirected to the OAuth provider's authorization server where they authenticate.
- Browser Automation: The system automatically fills in user credentials and handles the authorization flow without user interaction.
- Code Exchange: Authorization codes are automatically extracted from the redirect URI and exchanged for access tokens.
- PKCE Support: Implements Proof Key for Code Exchange (RFC 7636) for enhanced security by default.
- Token Management: Automatically handles access tokens and refresh tokens, injecting Bearer tokens into authenticated requests.
Performance Note: This authentication method requires browser automation to handle the interactive authorization flow, making it less efficient than API-only methods like OAuth Client Credentials or Resource Owner Password Credentials that use only programmatic HTTP requests. Use this method when the OAuth provider requires user interaction or when maximum security is needed.
Security: This flow is the most secure OAuth 2.0 grant type as it never exposes user credentials to the client application and includes PKCE protection against authorization code interception attacks.
Use Cases: Ideal for web applications, mobile apps, and any scenario where you need to authenticate users through third-party OAuth providers (Google, GitHub, Auth0, etc.) while maintaining the highest security standards.
| Property | Type | Default | Description |
authorization_url* | string | | The URL of the OAuth 2.0 authorization endpoint where users will be redirected to login |
client_id* | string | | The client ID to use for the OAuth requests |
client_secret* | string | | The client secret to use for the OAuth requests |
login_timeout | integer | 30 | Timeout in seconds to wait for the login process to complete |
logout_detection* | BrowserLogoutDetectionConfig | | Configuration for automatic post-login logout detection during browser authentication. |
redirect_uri* | string | | The redirect URI registered with the OAuth provider. The authorization code will be extracted from this callback. |
scopes | List[string] | null | Default scopes to request. Can be overridden per user. |
token_url* | string | | The URL of the OAuth 2.0 token endpoint to exchange authorization codes for tokens |
type* | Const[oauth_authz_code_browser] | oauth_authz_code_browser | |
use_pkce | boolean | true | Whether to use PKCE (Proof Key for Code Exchange) for enhanced security. Recommended for public clients. |
users* | List[OAuthAuthorizationCodeBrowserUserPreset] | | A list of users to authenticate |
OAuthAuthorizationCodeBrowserUserPreset
| Property | Type | Default | Description |
allow_failure | boolean | false | If false, authentication failure for this user will fail the scan. Ignored for the main user: failures for main user are always fatal. |
basic | string | null | The basic to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
cookies | Dict[string, string] | null | Optional cookies injected during the authentication process and in authenticated requests. |
digest | string | null | The digest to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
headers | Dict[string, string] | null | Optional headers injected during the authentication process and in authenticated requests. |
main_user | boolean | false | When running a WebApp Testing scan, this indicates that the scanner must use this user when crawling. There must be only one main user per scan. If none is provided, a random user will be selected. |
password* | string | | The password of the user for the authorization server. |
post_login_actions | List[CheckAction,ClickAction,ClickMailMagicLinkAction,FillAction,FillMailTOTPAction,FillTOTPAction,FocusPageAction,GotoAction,SelectAction,SleepAction,SolveCaptchaAction,WaitElementAction,WaitTextAction] | | A list of actions to perform on the browser after the login. |
pre_login_actions | List[CheckAction,ClickAction,ClickMailMagicLinkAction,FillAction,FillMailTOTPAction,FillTOTPAction,FocusPageAction,GotoAction,SelectAction,SleepAction,SolveCaptchaAction,WaitElementAction,WaitTextAction] | null | A list of actions to perform on the browser before the login. Useful for edge cases like accepting cookies, etc... |
query_parameters | Dict[string, string] | null | Optional query parameters injected during the authentication process and in authenticated requests. |
role | string | null | The role of the user (e.g., admin, user). |
scopes | List[string] | null | A list of scopes to request for the user. If not specified, no scope will be requested. |
username* | string | | The username of the user. |
OAuthClientCredentialsPreset
The 'OAuth Client Credentials' preset is tailored for authentication using the OAuth 2.0 client credentials grant, ideal for service accounts:
- OAuth Token Endpoint: Directs authentication requests to the token endpoint of an OpenID Connect server.
- Service Account Credentials: Utilizes client IDs and secrets to authenticate, representing service accounts rather than individual end-users.
- Token Generation: Designed to obtain access tokens for service accounts without the need for a user's password.
This preset is particularly effective for scenarios where applications or services themselves need to authenticate, independent of a user's direct involvement.
| Property | Type | Default | Description |
type* | Const[oauth_client_credentials] | oauth_client_credentials | |
url* | string | | The URL of the token endpoint of the OpenIDConnect server |
users* | List[OAuthClientCredentialsUserPreset] | | A list of users to create |
OAuthClientCredentialsUserPreset
| Property | Type | Default | Description |
allow_failure | boolean | false | If false, authentication failure for this user will fail the scan. Ignored for the main user: failures for main user are always fatal. |
audience | string | null | The audience to request for the user. If not specified, no audience will be requested. |
basic | string | null | The basic to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
basic_style | boolean | false | Whether to use the basic style of authentication where client_id and client_secret are encoded in the Authorization header. |
client_id* | string | | The client ID to use for the OAuth requests |
client_secret* | string | | The client secret to use for the OAuth requests |
cookies | Dict[string, string] | null | Optional cookies injected during the authentication process and in authenticated requests. |
digest | string | null | The digest to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
headers | Dict[string, string] | null | Optional headers injected during the authentication process and in authenticated requests. |
main_user | boolean | false | When running a WebApp Testing scan, this indicates that the scanner must use this user when crawling. There must be only one main user per scan. If none is provided, a random user will be selected. |
query_parameters | Dict[string, string] | null | Optional query parameters injected during the authentication process and in authenticated requests. |
role | string | null | The role of the user (e.g., admin, user). |
scopes | List[string] | null | A list of scopes to request for the user. If not specified, no scope will be requested. |
username* | string | | The arbitrary username given to the user. |
OAuthROPCPreset
The 'OAuth Resource Owner Password Credentials' preset implements the OAuth 2.0 Resource Owner Password Credentials grant type (RFC 6749, Section 4.3):
- Token Endpoint: Authentication requests are sent to the OAuth 2.0 authorization server's token endpoint to exchange user credentials for access tokens.
- Client Authentication: Uses client ID and client secret to authenticate the OAuth client application with the authorization server.
- Resource Owner Credentials: Directly uses the resource owner's (user's) username and password to obtain access tokens, bypassing the typical authorization code flow.
- Scope Support: Optional scope parameters can be included to request specific access permissions.
Important: This grant type should only be used when there is a high degree of trust between the resource owner and the client (e.g., first-party applications), as it involves handling user passwords directly. RFC 6749 recommends this flow only when other OAuth flows are not viable.
| Property | Type | Default | Description |
client_id* | string | | The client ID to use for the OAuth requests |
client_secret* | string | | The client secret to use for the OAuth requests |
type* | Const[oauth_ropc] | oauth_ropc | |
url* | string | | The URL of the token endpoint of the OpenIDConnect server |
users* | List[OAuthROPCUserPreset] | | A list of users to create |
OAuthROPCUserPreset
| Property | Type | Default | Description |
allow_failure | boolean | false | If false, authentication failure for this user will fail the scan. Ignored for the main user: failures for main user are always fatal. |
basic | string | null | The basic to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
cookies | Dict[string, string] | null | Optional cookies injected during the authentication process and in authenticated requests. |
digest | string | null | The digest to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
headers | Dict[string, string] | null | Optional headers injected during the authentication process and in authenticated requests. |
main_user | boolean | false | When running a WebApp Testing scan, this indicates that the scanner must use this user when crawling. There must be only one main user per scan. If none is provided, a random user will be selected. |
password* | string | | The password of the user. |
query_parameters | Dict[string, string] | null | Optional query parameters injected during the authentication process and in authenticated requests. |
role | string | null | The role of the user (e.g., admin, user). |
scopes | List[string] | null | A list of scopes to request for the user. If not specified, no scope will be requested. |
username* | string | | The username of the user. |
Procedure
| Property | Type | Default | Description |
injections* | Union[BrowserInjection,HTTPInjection] | | The list of injections to perform at the end of the procedure. Injections are used to inject the variables extracted from the procedure into the user authentication. |
name* | string | | The name of the procedure. It must be unique and is used to reference the procedure in users. |
operations* | List[BrowserActionsOperation,BrowserAgentOperation,HTTPOperation,OAuthAuthorizationCodeBrowserOperation] | | The list of operations executed during the procedure. An operation is a unit transaction, like an HTTP request, or a Playwright autologin script. Operations are ordered, and the variables extracted from an operation can be used in the next operations. |
SelectAction
| Property | Type | Default | Description |
action* | Const[select] | select | |
allow_failure | boolean | false | Allow this action to fail without breaking authentication, defaults to False. |
locator* | string | | The Playwright Locator to select the dropdown to select from |
select_first_if_multiple | boolean | false | Whether to select the first element if multiple elements are found. If false, an error will be raised. |
timeout | integer | 30 | Timeout in seconds for executing the click action |
value* | string | | The value to select |
SleepAction
| Property | Type | Default | Description |
action* | Const[sleep] | sleep | |
allow_failure | boolean | false | Allow this action to fail without breaking authentication, defaults to False. |
seconds* | number | | The time to sleep in seconds, between 0 and 40 seconds |
SolveCaptchaAction
| Property | Type | Default | Description |
action* | Const[solve_captcha] | solve_captcha | |
allow_failure | boolean | false | Allow this action to fail without breaking authentication, defaults to False. |
auto_submit | boolean | false | Whether the form should be automatically submitted after the captcha is filled |
locator* | string | | The Playwright Locator to select the captcha field to fill |
User
| Property | Type | Default | Description |
allow_failure | boolean | false | If false, authentication failure for this user will fail the scan. Ignored for the main user: failures for main user are always fatal. |
credentials | Credentials | null | A set of HTTP parameters used to customize requests sent for the user. |
main_user | boolean | false | When running a WebApp Testing scan, this indicates that the scanner must use this user when crawling. There must be only one main user per scan. If none is provided, a random user will be selected. |
name* | string | | The name of the user |
procedure | string | null | The name of the procedure to use to authenticate the user.This name MUST match the name field of a procedure in the procedures list in the multiauth configuration. |
role | string | null | The role of the user (e.g., admin, user). |
user_instructions | string | null | Optional per-user instructions forwarded to browser-based authentication flows. Use this field for user-specific hints, popups, or post-login checks when the selected procedure authenticates in a browser. |
variables* | List[AuthenticationVariable] | | List of variables that will be injected at the beginning of the user's authentication procedure. |
WaitElementAction
| Property | Type | Default | Description |
action* | Const[wait_element] | wait_element | |
allow_failure | boolean | false | Allow this action to fail without breaking authentication, defaults to False. |
locator* | string | | The selector to wait for |
timeout | number | 10 | The timeout (seconds) to wait for the element to be visible |
WaitTextAction
| Property | Type | Default | Description |
action* | Const[wait_text] | wait_text | |
allow_failure | boolean | false | Allow this action to fail without breaking authentication, defaults to False. |
timeout | number | 10 | The timeout (seconds) to wait for the text to be visible |
value* | string | | The text to wait for until visible, case-insensitive |
Enums
AWSRegion
| Value |
us-east-2 |
us-east-1 |
us-west-1 |
us-west-2 |
af-south-1 |
ap-east-1 |
ap-south-1 |
ap-northeast-3 |
ap-northeast-2 |
ap-southeast-1 |
ap-southeast-2 |
ap-northeast-1 |
ca-central-1 |
cn-north-1 |
cn-northwest-1 |
eu-central-1 |
eu-west-1 |
eu-west-2 |
eu-south-1 |
eu-west-3 |
eu-north-1 |
me-south-1 |
sa-east-1 |
BrowserLocation
| Value |
page |
browser_local_storage |
browser_session_storage |
browser_cookies |
HTTPLocation
| Value |
header |
cookie |
body |
query |
HTTPMethod
| Value |
CONNECT |
DELETE |
GET |
HEAD |
OPTIONS |
PATCH |
POST |
PUT |
TRACE |