Authenticated Pentesting - apviso [APVISO](/)Product Resources Developers Company [Pricing](/#pricing)[Partners](/partners)[Enterprise](/enterprise) [Login](/login)[Start free pentest](/register?intent=free-local-pentest) [Login](/login)[Start free](/register?intent=free-local-pentest) [Home](/)[Knowledge Base](/docs)Authenticated PentestingTargets & ScopeAuthenticated Pentesting ======================== Configure authentication so APVISO can test pages and API endpoints behind login — supporting bearer tokens, cookies, API keys, and more. Why Authenticated Pentesting Matters ------------------------------------ Many critical vulnerabilities — broken access control, privilege escalation, IDOR — only exist behind authenticated endpoints. Without credentials, APVISO can only test the unauthenticated attack surface. Authenticated pentesting gives the agents a valid session so they can test the full application. Where Credentials Live ---------------------- Target application credentials live only on the self-hosted runner. Configure a local JSON file on the runner host and set `APVISO_TARGET_AUTH_CONFIG_FILE=/path/to/target-auth.json`. The runner mounts that file read-only into the pentest container. APVISO Cloud receives job state and findings, but not tokens, cookies, passwords, or login secrets. Supported Authentication Methods -------------------------------- ### Bearer Token Provide a static bearer token. The pentest sends it in the `Authorization: Bearer ` header on authenticated requests. ### Basic Auth Supply a username and password. The pentest encodes them and sends the `Authorization: Basic ` header. ### Cookie Provide a session cookie name and value. This is useful when your application uses cookie-based sessions. ### API Key Specify the header name and key value, such as `X-API-Key`. ### Custom Headers Add one or more arbitrary request headers for non-standard authentication schemes. ### Login-Based Auth For applications with a login form, provide the login URL, username, and password in the runner-local file. Example Runner File ------------------- ```json { "targets": { "app.example.com": { "type": "bearer", "token": "local-only-token" } } } ``` Best Practices -------------- - Use a dedicated test account with realistic but non-admin privileges for the initial pentest. Run a separate pentest with admin credentials if needed. - Store the runner-local file with restrictive permissions and rotate or revoke credentials after pentesting. - Prefer token-based auth over login-based auth when possible. - Test that the credentials work from the runner network before starting the pentest. ### Related Articles [Adding Pentest Targets How to add a domain or IP address as a pentest target, including validation rules and what happens after creation.](/docs/adding-targets)[Starting a Pentest How to initiate a pentest, choose a pentest package, and understand what each package means for depth and runtime.](/docs/starting-a-scan)[Understanding Findings What severity levels mean, how findings are structured, and how to interpret CWE/CVE references and compliance mappings.](/docs/understanding-findings) [Back to Knowledge Base](/docs) [APVISO](/)Autonomous AI-powered penetration testing for modern web applications. Subscribe [](https://github.com/apviso)[](https://x.com/Apviso_com)[](https://www.linkedin.com/company/apviso/) [![Featured on Good AI Tools](https://goodaitools.com/assets/images/badge.png)](https://goodaitools.com/ai/apviso) Product - [Features](/#features) - [Pricing](/pricing) - [Integrations](/integrations) - [Benchmarks](/#compare) - [Affiliate Program](/affiliate) - [Partners](/partners) - [Enterprise](/enterprise) Resources - [Blog](/blog) - [Use Cases](/use-cases) - [Glossary](/glossary) - [Comparisons](/comparisons) - [Alternatives](/alternatives) - [Compliance](/compliance) - [Vulnerabilities](/vulnerabilities) - [Industries](/industries) - [OWASP APTS](/trust/apts) Developers - [Knowledge Base](/docs) - [API Reference](/docs/api) - [MCP Server](/docs/mcp) Company - [About](/about) - [Contact](/contact) - [Status](https://status.apviso.com) - [Privacy Policy](/legal/privacy) - [Terms of Service](/legal/terms) © 2026 APVISO. All rights reserved.