SUPPORT

24/5 Hotline Support Service

+44 (0)20 3588 3841

Open a Support Ticket

support@netsparker.com

Configuring OAuth2 Authentication in Netsparker Standard

Netsparker Standard supports the OAuth2 Authentication mechanism, enabling you to configure scans for websites that require OAuth2 authentication.

The OAuth2 authentication mechanism in Netsparker Standard supports all grant types that are defined in RFC-6749. In addition, Netsparker has a Custom flow that is used for token based authentication, except OAuth2 flows.

OAuth2 Authentication Fields

This table lists and explains the fields in the OAuth2 Authentication section.

Field

Description

Flow Type

First, Flow Type must be selected. There are five types of flows supported by Netsparker Standard:

  1. Authorization Code Grant
  2. Implicit Grant
  3. Resource Owner Password Credentials Grant
  4. Client Credentials Grant
  5. Custom

Endpoint

After selecting Flow Type, Endpoint(s) and associated parameters must be configured. Netsparker automatically lists the default parameter names and values defined in the RFC-6749. Because these parameter names and values may vary between implementations, Netsparker allows you to add, remove and edit them.

Response Fields

  • The Access Token is the only required field. Other parameters are optional, and may be left blank if not supported.
  • The Refresh Token field is used if the OAuth2 Endpoint returns a refresh token, which Netsparker will use to extend the expiration time of the current access token.
  • The Expire field is used if the OAuth2 Endpoint returns an expiration value that may be in milliseconds or in date-time. Netsparker will block all requests just before the Access Token expires and tries to refresh the current one. If a refresh token is provided, it will be used. Otherwise, a new token will be requested.
  • The Token Type field is the name of the header that will be sent with every request and it's value will be the OAuth2 token, while Netsparker crawls and attacks the target website. If no token type is provided, Netsparker will default to Bearer.

How to Configure OAuth2 Authentication in Netsparker Standard

  1. Open Netsparker Standard.
  2. From the Home tab, click New. The Start a New Website or Web Service Scan dialog is displayed.
  3. Click the OAuth2 tab.
  4. From the Flow Type dropdown, select an option.

  1. In the Endpoint field, enter the endpoint URL.

  1. If the Authorization Code has been selected as the Flow Type above, an additional panel will be displayed to set its endpoint values. The Authorization Code will be automatically requested from its endpoint and redirected to the Access Token endpoint. The name of the code field that will be sent to the Access Token endpoint can be edited, though it's value cannot (it is a dynamic value that is automatically populated by Netsparker).

  1. If OAuth2 endpoints requires an additional authentication, such as Form or Basic, Digest, NTLM/Kerberos authentication, you must configure them from the Authentication dropdown (see Configuring Form Authentication in Netsparker Standard and Configuring Basic, NTLM/Kerberos Authentication in Netsparker Standard).

  1. Next, click the Response Fields tab. These fields are already populated with the default values defined in RFC-6749.

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO