Define Authentication

Many vulnerabilities exist behind login walls. When creating an Authenticated (Gray Box) test, you provide credentials so CodeWall can access protected areas.

Supported credential types

Bearer token

Use for APIs that authenticate via a static token or JWT.

1. In step 3 (Authentication) of the new pentest wizard, select Bearer Token
2. Enter the token value
3. CodeWall sends it as Authorization: Bearer <token> with every request

Basic auth

Use for applications or APIs that use username/password authentication.

1. Select Basic Auth
2. Enter the username and password
3. CodeWall encodes and sends it as a standard Authorization: Basic header

Custom headers

Use for non-standard authentication mechanisms (API keys, tenant IDs, etc.).

1. Select Custom Headers
2. Add one or more key-value pairs (e.g., X-API-Key: your-key)
3. CodeWall includes all custom headers with every request

Multiple credentials

You can add multiple credentials to a single test. This is useful for:

• Testing multiple accounts at different privilege levels
• Providing both authentication and tenant identification headers
• Combining API keys with other custom headers

Testing for privilege escalation

To test whether a lower-privilege account can access higher-privilege resources:

1. Add a low-privilege credential (regular user token)
2. Add a high-privilege credential (admin token)
3. CodeWall will test whether resources accessible with admin credentials can also be reached with the regular user token

Credential security

• Credentials are encrypted at rest and in transit
• They are used only during the active test
• Access to credentials is restricted to organization admins