Skip to main content
For thorough security testing, configure authentication so our AI agents can access protected areas of your application.

Why Authentication Matters

Unauthenticated scans only test the public attack surface. Authenticated testing discovers:
  • Privilege escalation vulnerabilities
  • IDOR (Insecure Direct Object References)
  • Session management flaws
  • Post-login business logic bugs
Up to 80% of critical vulnerabilities exist behind authentication walls.

Setting Up Credentials

1

Create Test Accounts

Create dedicated accounts for security testing:
RolePurpose
Standard UserTest normal user functionality
Admin UserTest admin-only features
Low-Privilege UserTest privilege escalation
Never use production accounts with real data.
2

Navigate to Target Settings

Go to Targets → Select your target → Authentication tab.
3

Add Credentials

Enter username and password for each test account:
{
  "credentials": [
    {
      "role": "user",
      "username": "[email protected]",
      "password": "SecureTestPass123!"
    },
    {
      "role": "admin",
      "username": "[email protected]", 
      "password": "AdminTestPass456!"
    }
  ]
}
4

Write Login Instructions

Describe the login flow for the AI agent:
1. Navigate to https://app.example.com/login
2. Enter the username in the "Email" field
3. Enter the password in the "Password" field
4. Click the "Sign In" button
5. Wait for redirect to /dashboard
6. Verify login by checking for "Welcome" text
Be specific about field names, button text, and success indicators.

Login Instruction Best Practices

❌ “Enter email and password”✅ “Enter email in the field labeled ‘Email Address’ and password in the field labeled ‘Password’”
❌ “Click login”✅ “Click the ‘Sign In’ button and wait for the URL to change to /dashboard”
If your app uses MFA, describe how to handle it:
After entering credentials:
1. If MFA prompt appears, use the TOTP code from the authenticator
2. TOTP Secret: JBSWY3DPEHPK3PXP
3. Enter the 6-digit code and click "Verify"

If login fails:
1. Check if "Invalid credentials" message appears
2. If CAPTCHA appears, wait 60 seconds and retry
3. If account locked message appears, use backup account

Authentication Methods

Standard username/password forms:
1. Go to /login
2. Enter username in #email field
3. Enter password in #password field
4. Click button with text "Log In"

Multi-Factor Authentication

Provide the TOTP secret for automated MFA handling:
{
  "mfa_type": "totp",
  "secret": "JBSWY3DPEHPK3PXP"
}
For SMS or email OTP, we recommend:
  • Using a test account with MFA disabled
  • Or using our webhook integration to receive OTPs
Hardware keys (YubiKey, etc.) cannot be automated. Options:
  • Use accounts without hardware MFA for testing
  • Capture authenticated session manually via Burp Extension

Session Management

The AI agent automatically:
  • Detects session expiration
  • Re-authenticates when needed
  • Handles CSRF tokens
  • Manages concurrent sessions
For long-running assessments, ensure test accounts don’t have session limits that could interrupt testing.

Verification

After configuring authentication, verify it works:
  1. Go to Targets → Your Target → Authentication
  2. Click Test Authentication
  3. Review the authentication trace
  4. Confirm successful login indicator
Green checkmark indicates authentication is working correctly.

Next Steps

Start Spider Phase

Begin mapping your authenticated application surface.

Browser Extension

Capture complex auth flows with the Burp Extension.