Run web, API, code, dependency, cloud, AI, and internal-network assessments from one queue with unified findings, evidence, remediation, and audit output.
Runtime DAST
Authenticated coverage
Session macros, role-aware crawling, OAuth, JWT, MFA, and business-logic coverage.
Findings, reports, dashboards, exports, integrations, and retests all read from the same normalized record.
Pencheff favors repeatable checks, then uses AI for triage, enrichment, orchestration, and remediation where it adds signal.
Coverage
What does Authenticated coverage test?
- Session macros, role-aware crawling, OAuth, JWT, MFA, and business-logic coverage.
- This page is part of Platform under Operational Core.
- It links back into the broader a complete adversarial security platform experience.
- Passive and active reconnaissance, technology fingerprinting, endpoint inventory, and crawl expansion.
- Authenticated crawling for SPAs, role-aware flows, cookies, headers, JWTs, OAuth/OIDC, and MFA-sensitive areas.
- Injection coverage for SQL, NoSQL, command, SSTI, XXE, SSRF, LDAP, deserialization, path traversal, and file upload abuse.
- Client-side and protocol checks for XSS, DOM XSS, CSRF, CORS, clickjacking, cache poisoning, redirects, headers, WebSockets, and GraphQL.
- Verification probes that promote high-confidence results into replayable findings with request and response context.
Execution
How does Pencheff run this?
- Create a URL or API target with scope, auth material, allowed hosts, and rate limits.
- Map the surface with recon, crawl, endpoint discovery, and optional OpenAPI or traffic-derived routes.
- Run profile-controlled checks from quick validation through deep exploit-chain analysis.
- Re-test candidate issues with focused probes before they become confirmed findings.
- Attach evidence, severity, remediation, and compliance mappings to the unified findings stream.
Evidence
What evidence does this produce?
- HTTP request and response excerpts, affected URL, parameter, method, status code, and payload family.
- OAST callbacks, browser screenshots, chain notes, and exact reproduction steps where applicable.
- Authentication context, role assumptions, session notes, and guardrails used during assessment.
- OWASP, CWE, PCI DSS, SOC 2, ISO 27001, NIST, and HIPAA mappings for audit readers.
Controls
How is this kept safe to run?
- Scope allow-lists, profile depth, time budgets, and evidence requirements bound active testing.
- State-changing and destructive behavior can be constrained by target policy and profile selection.
- Findings are deduplicated against existing scan history and can be re-examined on demand.
- Authenticated material is scoped to the target and treated as assessment-only input.
Documentation
Read the full reference.
FAQ
Common questions
- Why does authenticated scanning matter for web application security?
- The most sensitive functionality in any web application — account management, payment flows, admin panels, API endpoints — sits behind authentication. Without authenticated scanning, a DAST tool only tests the public surface and misses the majority of real attack surface.
- How does Pencheff authenticate to a web application for testing?
- Pencheff records a login sequence (username/password form, OAuth redirect, or cookie injection) and replays it to maintain a valid session during the scan. It automatically handles session expiry and re-authenticates as needed.
- Can Pencheff test multi-factor authentication (MFA) flows?
- Yes. Pencheff supports TOTP-based MFA by integrating with your authenticator seed, and it can test the MFA bypass surface — checking for race conditions, backup code brute-force, and session fixation around the MFA step.
- Does Pencheff test for broken access control in authenticated sessions?
- Yes. Pencheff probes for IDOR (Insecure Direct Object Reference), horizontal and vertical privilege escalation, and path-traversal issues that are only observable when operating as an authenticated user with known object IDs.
Related