Security Testing Authenticated App Routes Part 3: Password Authentication with Bearer Token

Modern web applications, particularly single-page applications, often utilize APIs for data transmission, eschewing traditional web forms for authentication in favor of API routes that process JSON payloads containing user credentials. After successful authentication, servers return an authorization token, which is then used for subsequent requests to protected routes. StackHawk's HawkScan supports this authentication method by enabling users to define username and password fields, extract tokens from JSON responses, and use these tokens in further API calls. The text provides a detailed walkthrough of setting up HawkScan for testing API authentication, including the necessary prerequisites such as familiarity with tools like Git, Curl, and Docker, and the installation steps for running the hawkling-api application. Users are guided through configuring the stackhawk.yml file to simulate authenticated scanning, defining logged-in and logged-out indicators, and setting up token extraction and authorization processes. The document emphasizes the importance of integrating security testing into development processes to identify vulnerabilities before they reach production, and offers guidance on moving HawkScan from local environments to build pipelines using tools like Travis CI and Docker-Compose.