Web app authorization coverage scanning.
AuthCov crawls your web application using a Chrome headless browser while logged in as a pre-defined user. It intercepts and logs API requests as well as pages loaded during the crawling phase. In the next phase it logs in under a different user account, the "intruder", and attempts to access each of one of the API requests or pages discovered previously. It repeats this step for each intruder user defined. Finally it generates a detailed report listing the resources discovered and whether or not they are accessible to the intruder users.
An example report generated from scanning a local Wordpress instance:
- Works with single-page-applications and traditional multi-page-applications
- Handles token-based and cookie-based authentication mechanisms
- Generates an in-depth report in HTML format
- Screenshots of each page crawled can be viewed in the report
Install node 10. Then run:
$ npm install -g authcov
- Generate a config for the site you want to scan:
$ authcov new myconfig.js
- Update the values in myconfig.js
- Test your configuration values by running this command to ensure the browser is logging in successfully.
$ authcov test-login myconfig.js --headless=false
- Crawl your site:
$ authcov crawl myconfig.js
- Attempt intrusion against the resources discovered during the crawling phase:
$ authcov intrude myconfig.js
- View the generated report at:
./tmp/report/index.html
Unit Tests
Unit tests:
$ npm test test/unit
Integration tests:
First download and run the example app. Then run the tests:
$ npm test test/integration