How do you scan behind a login?The Tinfoil Security scanner has the ability to scan your website after logging into it. Many websites hide a lot of functionality behind authentication (Facebook is a good example of this, or any banking website). Given valid credentials (i.e. a valid username and password, as well as a login URL), the Tinfoil scanner is able to login automatically prior to each scan and crawl and audit pages behind authentication as well as while logged out.
The current types of authentication we support are Form-based, HTTP Basic Authentication, and SAML. If your site have a custom login procedure that does not conform to any of these methods, let us know.
For Form-based Login, you can simply give us a login URL and example username and password. You can do this during the setup of your site right from your dashboard.
HTTP Basic Authentication
For HTTP Basic Authentication, you can simply fill out your username and password on the dashboard, and the scanner will take care of constructing the url of the form "https://username:firstname.lastname@example.org" and use it to log in to your site.
SAML Single Sign-On
A third type of authentication we support is SAML (Security Assertion Markup Language). This authentication method is commonly used in websites that use a central identity provider to provide single-sign on functionality. Currently, we support the OneLogin identity provider.
To enable the Tinfoil Security scanner to log in to your site using OneLogin, we need four pieces of information: the login URL to your OneLogin portal (e.g. https://example.onelogin.com/login), the username and password needed to log in to your OneLogin portal, and lastly the Application's SSO URL, which is the URL to your site that is linked from your OneLogin Portal (e.g. https://app.onelogin.com/client/apps/select/1234567890 ). You can obtain your Application SSO URL by logging in to your OneLogin portal, finding the desired application in the listing, right-clicking on it, and copying the link.
As always, if you have any questions or issues at all, please feel free to contact us in our Support Chat or via any of the methods listed on our Contact Page and we'll be more than happy to assist.