Authentication & sessions
Pencheff supports authenticated scanning for real-world targets where most of the attack surface lives behind login.
Credential types
CredentialSet accepts any combination of:
username+passwordapi_key— sent asX-API-Keyheadertoken— sent asAuthorization: Bearer …cookie— raw cookie stringcustom_headers— arbitrary header name/value pairs
All values are MaskedSecret-wrapped so they never leak via repr / logs.
In the SaaS, they’re Fernet-encrypted at rest.
Multiple roles
Load multiple credential sets to test authorization boundaries:
pentest_configure(session_id=sid, updates={
"credentials": {
"name": "admin",
"username": "[email protected]",
"password": "AdminPass1!"
}
})
pentest_configure(session_id=sid, updates={
"credentials": {
"name": "user",
"username": "[email protected]",
"password": "UserPass1!"
}
})scan_authz uses them to detect horizontal (user → other user’s data)
and vertical (user → admin) escalations.
Login macros (interactive recording)
For complex flows (SPA login, multi-step OTP), record a macro interactively:
record_login_macro(session_id=sid, url='https://app.example.com/login')A headed Chromium opens — you log in manually, the macro records the network traffic and persists cookies + localStorage tokens. On subsequent scans the macro replays automatically.
Authenticated crawl
authenticated_crawl(session_id=sid, credentials_ref='admin')Crawls all endpoints with credentials injected, discovering post-login-only routes.
OAuth / OIDC
scan_oauth covers:
redirect_uribypass (13+ techniques: subdomain, encoding, fragment, protocol-relative, backslash, null-byte, loose path matching)stateparameter validation- Token leakage via
Referer - Scope escalation
- PKCE bypass
JWT attacks
scan_auth covers:
alg: "none"bypass- RS256 → HS256 key confusion
- Claim tampering (
user,role,exp) - Signature verification bypass
- Expiration bypass
Session / MFA
scan_auth— session timeout, fixation, hijacking, concurrent session testingscan_mfa_bypass— direct endpoint access skipping 2FA, OTP brute force, backup code abuse, race conditions on code validation