Targets & Verification

Authenticated Scanning

Configure authentication so APVISO can test pages and API endpoints behind login — supporting bearer tokens, cookies, API keys, and more.

Why Authenticated Scanning Matters

Many critical vulnerabilities — broken access control, privilege escalation, IDOR — only exist behind authenticated endpoints. Without credentials, APVISO can only test the unauthenticated attack surface. Authenticated scanning gives the agents a valid session so they can test the full application.

Supported Authentication Methods

Bearer Token

Provide a static bearer token (e.g., a long-lived JWT or API token). APVISO sends it in the Authorization: Bearer <token> header on every request.

Basic Auth

Supply a username and password. APVISO encodes them and sends the Authorization: Basic <encoded> header.

Cookie

Paste a session cookie string (e.g., session=abc123; csrf=xyz789). APVISO attaches it as the Cookie header. This is useful when your application uses cookie-based sessions.

API Key

Specify the header name and key value (e.g., header X-API-Key, value sk_live_...). APVISO includes this custom header on every request.

Custom Headers

Add one or more arbitrary request headers. Use this for non-standard authentication schemes or to pass additional context the application requires.

Login-Based Auth

For applications with a login form, you can configure:

  • Login URL — the page containing the login form.
  • Username and Password fields — the form field names and values.
  • Success indicator — a URL pattern, cookie name, or response string that confirms a successful login.

APVISO's agents will submit the login form, capture the resulting session, and use it for the remainder of the scan.

Configuring Auth in the Dashboard

  1. Open the target detail page.
  2. Click the Authentication tab.
  3. Select your authentication method.
  4. Fill in the required fields.
  5. Click Save.

Credentials are encrypted at rest and only decrypted during the scan. They are never logged or included in reports.

Best Practices

  • Use a dedicated test account with realistic but non-admin privileges for the initial scan. Run a separate scan with admin credentials if needed.
  • Rotate or revoke credentials after scanning to limit exposure.
  • Prefer token-based auth over login-based auth when possible — it is more reliable and does not depend on form rendering.
  • Test that the credentials work before starting the scan by verifying you can access a protected page.
Back to Knowledge Base