I have a few web applications that use Azure authentication. Can someone guide me on how should I scan such an application.
I have the exact same question. We have 3 Azure web apps that we are trying to scan as an authenticated user. We have set the auth credentials in the scan, but they don't appear to be used at all and the scan only hits the entry URL and nothing else. Any thoughts?
This sounds like a scenario where using a Selenium script for authentication would work. Selenium IDE is a Firefox extension (at https://addons.mozilla.org/en-US/firefox/addon/selenium-ide/) and Qualys Browser Recorder is a Chrome extension and can be used to record the script (see Qualys Browser Recorder v1.1.6 Now Available ).
Let me say good luck. I have done this before and it is not straight forward. Some of what happens is that you login to the application from your browser and it is seamless; behind the browser you were redirected to another server that you actually did authenticate too and it also would probably have authorized you for the application. Then it would have returned you to the first URL; maybe with a token of some kind. So yes you will want to use the Selenium scripting as Dave Ferguson indicated.
However; you will need to thoroughly test as the Selenium IDE will only record the primary web site you visit and will not record any secondary ones. So my suggestion would be to do the Selenium and test the script on a Linux VM and also run fiddler or wire-shark to get a PCAP of the interaction. This way you may be able to see any other URLS that are in use. You will probably need to manually edit the script by Selenium and you may need to also pass in NTLM credentials as well. You can do it but you will need to be a little persistent about it. If you have trouble let me know here and can try to see if I can spot anything.
Retrieving data ...