Authenticated scans
Anonymous scans only see what Google can see. Most of the interesting attack surface β admin panels, user-specific API endpoints, billing flows β sits behind authentication. Pentestas supports four ways to hand over credentials.
1. Username + password
New scan β Advanced β Authentication β Form login.
Supply:
- Login URL β the form action URL, not the UI page URL.
- Username field name / value
- Password field name / value
- Success indicator β a URL (
/dashboard) or response-body pattern ("Welcome,") that means login worked.
Pentestas posts the form, captures the resulting session cookies, and re-crawls. It also periodically re-verifies the session during the scan and re-logs-in if it detects a logout (detected via a redirect to the login URL or a 401 spike).
2. Cookie paste
Already logged in in your browser? Open DevTools β Application β Cookies, copy the session / sid cookie value.
New scan β Advanced β Authentication β Cookies.
sid=abc123; csrf_token=xyz789
Fastest path to a working authenticated scan. Downside: cookies expire β sessions shorter than your scan will fail mid-run.
3. Authorization header
For API scans:
{
"config": {
"custom_headers": {
"Authorization": "Bearer eyJ..."
}
}
}
Works with any JWT / opaque token. Combine with oauth_refresh (see below) for long scans.
4. OAuth 2.0 refresh token (recommended for APIs)
Pentestas mints a fresh access token at scan-start and refreshes it mid-run when it expires. Survives 8-hour scans against APIs with 5-minute access tokens.
{
"config": {
"oauth_refresh": {
"token_url": "https://auth.example.com/oauth/token",
"refresh_token": "rt_abc...",
"client_id": "pentestas-scanner",
"client_secret": "..."
}
}
}
Pentestas caches the token in memory for the scan's lifetime and drops it at end.
Multi-role scans
To scan the admin panel as an admin and the user dashboard as a regular user in one scan, pass multiple credential blocks:
{
"config": {
"credentials": [
{"role": "admin", "username": "admin@example.com", "password": "β¦"},
{"role": "user", "username": "user@example.com", "password": "β¦"}
]
}
}
The crawler logs in as each role, saves the session, then tries both against every discovered endpoint. This finds privilege escalation vulns where a regular user can reach admin-only functionality.
MFA / 2SV
Two approaches, both Pro+:
- TOTP seed β paste the shared secret. Pentestas generates fresh TOTPs for each login.
- Cookie reuse β log in once with MFA, paste the post-MFA session cookie. Good for short scans.
Scope + safety
- Use a test account, not your personal admin. Destructive tests can fire against logged-in flows.
- Whitelist the Pentestas IPs in any rate limiter so the scanner isn't kicked out mid-run.
dig TXT scan-ips.pentestas.comreturns the current IP set. - Exclude logout URLs under Advanced β Scope restrictions so the crawler doesn't accidentally log itself out.
See also
- API scan β authenticated API specifics
- Web app scan β the general checklist