DAST Authentication Configuration Requirement

This article outlines the required details for configuring authentication mechanisms in Dynamic Application Security Testing (DAST). The information provided will help ensure accurate and secure testing of role-based APIs within the application environment.

1. Application Roles Overview

Please indicate whether the application includes role-based access. If roles are implemented, provide a list of all distinct roles and a brief explanation of how APIs are segmented by role.

Administrator
Standard User
Manager

2. Role-Based Authentication Configuration

For each role, provide the following authentication configuration details.

Example Role: Administrator

a. Type of Token:

Bearer Token
Custom Token
Cookie-based Authentication

b. Token Details:

Parameter Name: Authorization
Location: Header / Cookie / Query Parameter
Format: Bearer <token>

c. Token Generation Endpoint:

Provide the URL of the authentication/token server.

https://auth.example.com/oauth/token

d. Content-Type of Authentication API:

application/json or application/x-www-form-urlencoded

e. Token Generation Sequence

If token issuance involves multiple API calls, document each step including endpoint, headers, request body, and expected response.

Step 1: Login API

Endpoint: POST /api/login
Headers: Content-Type: application/json
Request Body:

      
{
    "username": "admin_user",
    "password": "Admin@123"
}
      /code>


      Sample Response:
      

    
          
{
    "access_token": "eyJhbGciOi...",
    "expires_in": 3600
}
      /code>
    

  

      Curl Example:
      
        
                  
curl -X POST https://auth.example.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin_user", "password": "Admin@123"}'
		  /code>
        

      


      Step 2 (If applicable):
      
        In scenarios where authentication involves a series of API calls (e.g.,
        login followed by token exchange, OTP verification, or user profile
        resolution), it is essential to clearly define the sequence and data
        dependencies.
      

      3. Test User Credentials
      
        Please provide at least two test user accounts for each role to use
        during security testing.
      
      
        
          
            Role
            Username
            Password
          
        
        
          
            Administrator
            admin_user
            Admin@123
          
          
            Standard User
            user_standard
            User@123
          
        
      
      
        🔒 Ensure test accounts are isolated from production environments and
        safe for automated testing.
      

      4. Token Validity and Renewal
      
        
          Default token expiration: 3600 seconds (1 hour)
        
        Auto-refresh supported: Yes / No
      

      5. Additional Notes
      
        Attach any relevant API documentation or Postman collections.
        
          If using third-party identity providers (e.g., Auth0, Okta), include
          configuration details and client credentials if required.

Role	Username	Password
Administrator	admin_user	Admin@123
Standard User	user_standard	User@123