How do you scan behind a login?
The Tinfoil Security scanner has the ability to scan your website after logging into it. Many websites hide a lot of functionality behind authentication (Facebook is a good example of this, or any banking website). Given valid credentials (i.e. a valid username and password, as well as a login URL), the Tinfoil scanner is able to login automatically prior to each scan and crawl and audit pages behind authentication as well as while logged out.
The current types of authentication we support are Form-based, HTTP Basic Authentication, and SAML. If your site have a custom login procedure that does not conform to any of these methods, let us know.
For Form-based Login, you can simply give us a login URL and example username and password. You can do this during the setup of your site right from your dashboard.
HTTP Basic Authentication
For HTTP Basic Authentication, you can simply fill out your username and password on the dashboard, and the scanner will take care of constructing the url of the form "https://username:firstname.lastname@example.org" and use it to log in to your site.
SAML Single Sign-On
A third type of authentication we support is SAML (Security Assertion Markup Language). This authentication method is commonly used in websites that use a central identity provider to provide single-sign on functionality. Currently, we have tested and support OneLogin and Okta as identity providers.
To enable the Tinfoil Security scanner to log in to your site using SAML SSO, we need four pieces of information: the login URL to your identity provider portal (e.g. https://example.onelogin.com/login or https://example.okta.com/login), the username and password needed to log in to your identity provider portal, and lastly the Application's SSO URL, which is the URL to your site that is linked from your identity provider Portal (e.g. https://app.onelogin.com/client/apps/select/1234567890 or https://app.okta.com/home/app/123ABC). You can obtain your Application SSO URL by logging in to your identity provider portal, finding the desired application in the listing, right-clicking on it, and copying the link.