Configure API Call Authentication

If you need to enable NeuraLegion to reach an authenticated resource by sending API requests with a customized body, you should use the API call authentication method. This authentication method is the most flexible and provides multiple methods of HTTP requests.

Prerequisites

  • You are an active user in the NeuraLegion App.
  • Your application and authenticated resources are accessible to the NeuraLegion App, either directly from the Internet or via a Repeater.

Step-by-Step Guide

  1. Go to the NeuraLegion App.
  2. In the left pane, select Authentications.
  1. On the My Authentications page, click + Create Authentication.
  1. In the CREATE & TEST AUTHENTICATION dialog box, complete the fields of the following configuration sections.

Authentication Details

In this section, specify the details of the authentication object you want to create.

Field Guidelines
Authentication name Enter the authentication object name.
Description (Optional) Enter the authentication object description. For example, you can specify the application type or other information that helps you distinguish your created object.
Authentication type From the Authentication type drop-down list, select API Call.

Authentication Setup

In this section, set up a valid authentication request to be sent to the end-point API. For that, complete the Authentication Setup fields.

Field Guidelines
Method Enter the HTTP method of the relevant API end-point.
URL Enter the URL of the relevant API end-point.
Body Enter the HTTP request body to use with the request sent to the API end-point, for example:{“user”: “foo”, “pass”: “bar”}’.
Extract from Select where in the responses the correct authentication token should be extracted from.
  • Header
Select if you need the authentication token to be extracted from the response header.
    Header name
Enter the name of the header to extract the authentication token from.
  • Body
Select if you need the authentication token to be extracted from the response body.
Authenticated token extraction regex Enter the Regex pattern that extracts the authentication token from the specified location.

Pro Tip: Make sure the specified Regex captures ONLY the token itself, and not any additional parts of the string such as prefix, suffix, delimiter, padding, etc.
Token encoder Select any encoder that you need to use on the token itself, for example Base64.
Embed in Select where in the subsequent authenticated requests the authentication token should be embedded into.
  • Header
Select if you need the authentication token to be embedded into the request header.
    Target header name
Enter the name of the header to embed the authentication token into.
  • Body
Select if you need the authentication token to be embedded into the request body.
    Content type
Select the content type of the request body.

Note: Currently only `application/json` is supported.
    XPAth
Enter the exact path to the object to be used in the requests sent to the API end-point.
Token template string Enter the expected token and final pattern to be embedded into the end-point request header or body.

Pro Tip: The required syntax is to have the `{{token}}` string in the field, along with any needed prefixes/suffixes. The `{{token}}` part will be replaced with the extracted token from the authentication response.
Maximum number of redirects to follow Enter the maximum number of redirections that the Nexploit should follow during the authentication process.
Additional headers (Optional) Select an additional header that you need to use for each request and enter its value. For example, additional cookies that might be needed for the authentication such as host-related metadata.
To replace or append the selected headure to each request, select the relative button below.

Pro Tips:
  • If your application uses cookies that are set via the Set-Cookie header in the response, then you do not need to extract and reuse the cookies. Any Set-Cookie header will be automatically used during authentication.
  • MFA required on initial IP login may be handled using a cookie value. For that, you need to identify which cookie holds the completed MFA/2FA and include a valid cookie as a part of your authentication object.
  • For some parameters, you can add more fields by clicking at the upper-right of the relevant setup section.
  • To delete a parameter, click next to the relevant Value field.

Valid Authentication Response

In this section, select the options you want to use during the application scanning to determine that the authenticated resource has been reached. The options define how the application responds in case a full authentication flow passes successfully.

Field Guidelines
Detect using response status Enter the HTTP response that will tell you about the authentication success.
Detect using header pattern Enter the header and Regex pattern that will tell about the authentication success.
Detect using body pattern Enter the body pattern that will tell you about the authentication success.

Authentication Triggers

In this section, select the options you want to use during the application scanning to determine if the authentication flow is no longer valid and the authenticated resources cannot be reached. The options define how the application responds in case the authentication flow fails.

Field Guidelines
Detect using response status Enter the HTTP response that will tell you about the authentication failure.
Detect using header pattern Enter the header and Regex pattern that will tell about the authentication failure.
Detect using body pattern Enter the body pattern that will tell you about the authentication failure.

Valid Session Tester

The preliminary testing helps you verify if the authentication object has been configured correctly.

Field Guidelines
Protocol From the drop-down list, select the HTTPS or WebSockets protocol to be used for authentication.
Method Select the HTTP method of an active tester end-point (authenticated resource).
Validation URL Enter the URL of the authenticated (protected) resource to test if the authentication scenario is configured correctly. The validation URL should be different from the authentication URL.
Header name Select an additional header to be appended to the request sent to the tester end-point.
Header value Enter the template of the expected value (interpolation string) created using the String Interpolation Syntax.
Body Enter the HTTP request body to be appended to the request sent to the tester end-point, for example:{“user”: “foo”, “pass”: “bar”}’. You can interpolate the body using the String Interpolation Syntax.
Maximum number of redirects to follow Enter the maximum number of redirections that Nexploit should follow during the authentication process.

Pro Tips: Select the checkbox Change redirected method to get for the redirects with code 302, where the server expects the following methods to always be GET during redirects and not the original method that triggered the redirect.
Repeater If you use a local Repeater to reach the scan target, select it from the drop-down list to connect it to the scan.

Once you have completed the Valid Session Tester fields, click Test Authentication.

  • A valid authentication object returns three success messages indicated in the relevant Test Results sections:
    • Test Authentication Triggers
    • Authentication call
    • Access Protected Resource

In this case, you can save the configured object and add it to your scans.

  • If the test results include a failure message, go back to the object configurations and verify their correctness. Use the test request/response data to find a certain failure and fix it.

Did this page help you?