Modern applications increasingly rely on OAuth authentication to secure their APIs and web services. Previously, if your applications used OAuth, you had to implement time consuming workarounds to allow Intruder to fully scan your applications.
With this release, we've added OAuth authentication support to our scanning capabilities. This means you can now comprehensively test applications and APIs that require OAuth tokens for access - giving you complete visibility into vulnerabilities across your entire authenticated attack surface.
What's changed?
We've expanded our authentication options to include OAuth 2.0, the industry-standard protocol used by countless modern applications. When setting up a scan, you can now:
- Configure OAuth authentication for any target that requires it
- Provide your OAuth credentials and token endpoints
- Let Intruder handle the token generation and refresh automatically during scans
- Scan both REST APIs and web applications protected by OAuth
How does this help you?
- Intruder now provides you with greater coverage, as OAuth protected applications and APIs are no longer a blind spot
- You'll receive more impactful results as you can test more of the authenticated parts of your applications where sensitive data and functionality often live
- You'll be able to save time as there's no need for complex workarounds or manual testing of OAuth-protected resources
Getting started
To add OAuth authentication to a target, simply:
- Navigate to the targets page
- Click on the Actions button on the right hand side of your target
- Click "Add authentication"
- Choose OAuth 2.0 from the authentication types and fill in your application details.
You'll need your OAuth client credentials and token endpoint URL to get started. Our scanner will handle the rest, automatically managing token generation and renewal throughout the scan.
This feature is available across all plans. To enable DAST scanning of your application you will need an Application License, if you already have one it will be assigned to the target when you configure the OAuth login details - if you don't have one you can purchase one from the billing page, or speak to your Customer Success Manager.
If you have any trouble setting up OAuth, reach out through the support chat.