Skip to main content

First time setup for web application

info

The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.

info

This feature is only available to organizations that have signed up for the Web Application Scanning feature.

This page explains the procedures for creating the target web application for diagnostics and configuring authentication settings for diagnostics and crawling.

Initial Setup Flow

Before diagnosing a web application, you need to perform some initial setup and preparatory work. Although the details differ slightly depending on whether your application’s architecture is MPA (Multi-Page Application) or SPA (Single-Page Application), the overall setup flow is roughly as follows:

  • Register the application
  • Configure authentication settings
  • Configure crawling settings

Register the Application

Highlight 1 on the “Application” menu at the top, and Highlight 2 on “Register Application” within that page

To register or add a new application to be diagnosed, select “(1) Application” from the top menu. Then, click “(2) Register Application” to register the application.

Highlight on registering a scope within Shisho Cloud
When registering an application, three items are required: the application name, whether authentication is needed, and the scope.

Setting ItemDetailsExample
1. Application NameSet the application name to be displayed in Shisho Cloud.[Staging]Flatt Example Application
2. AuthenticationSelect whether the target application requires Basic Authentication or
user login-based authentication.
Yes
3. ScopeDefine the scope of the application you want to diagnose. Detailshttps://stg-flatt.example

Configure Authentication Settings (Other Than User Login)

Once you register an application, the initial setup tutorial will begin.

Highlight on selecting authentication settings within Shisho Cloud
First, (1) select the authentication method for your target application.

Next, if a fixed key is required in the request header (e.g., Basic Authentication or a custom API key authentication), set it here (2). If user login is required, you’ll configure it in subsequent screens.

When you finish setting up Basic Authentication or a fixed header value, click (3) Next.

Configure Authentication Settings (User Login)

Below is an explanation of how to configure authentication if your target application requires a user login with an email address, password, etc.

Overview of User Login Authentication Settings

Illustration showing a GET request to the login page, then using the response data in a subsequent POST request

To allow Shisho Cloud to use authentication information obtained during login when performing crawling and diagnostics, configure settings according to the following flow:

  1. Choose where to set the authentication information.
  2. Retrieve the authentication information from the login process.
  3. Register the authentication information obtained from the login process in Shisho Cloud.
  4. Test connectivity with a screen that becomes accessible after login.

1. Choose Where to Set the Authentication Information

Highlight on choosing where to set authentication information within Shisho Cloud

First, choose whether you’re storing the authentication information in a Cookie or setting it in the request header. The procedures to use session tokens or authentication tokens obtained through the login process are explained in the following sections.

2. Retrieve Authentication Information from the Login Process

Set up in Shisho Cloud the request(s) that obtain authentication information generated during user login.

If the target application’s login process is of the type where a user sends their ID and password via a login form—“Sending a Request to the Application”—or if it’s a type that sends a request to an external service like Auth0 or Firebase—“Sending a Request to an External Service (Auth0, etc.)”—the required settings differ.
Let’s go through each authentication method.

2-1. Sending a Request to the Application

Highlight on the request form for the application within Shisho Cloud

In “(1) Authentication Method,” select “Send Request to the Application.”
Next, in “(2) Request Destination,” enter the URL where the initial login request is sent.

By clicking “(3) Test,” you can check the HTTP request and response to and from the specified endpoint. Use this to verify your input details.

Some login processes may require multiple steps (e.g., when using csrf_token, you might need to GET the login page first, then use part of the response in a POST request). If multiple steps are required, click “(4) Add” to add additional steps.

info

If you are unsure about the login process flow, we recommend using your browser’s developer tools to check the network activity when logging in.

Highlight on selecting request parameters within Shisho Cloud

If the login process sets something like csrf_token in the request header, or if user IDs and passwords are set in the request body, you can select “(5) Request Parameters” to display a form for configuring the authentication request details.

About Variables

Highlight on the variable feature within Shisho Cloud

In Shisho Cloud, you can register variables if you want to extract values from the response of the immediately preceding step for use in the next request.
(Example: If you’re using csrf_token, you can extract it from the response of a GET request to the login page.)

If you want to use variables, select “(6) Insert Variable,” and then click “Add a new variable” to create one.

Variable registration dialog within Shisho Cloud

You can configure the following items for a variable:

Setting ItemDetails
7. Variable NameSpecify the variable name used within Shisho Cloud.
8. Value SourceChoose which step’s response to extract the value from.
9. Extraction MethodChoose whether to extract the value via a regular expression or
to extract all set cookies.
10. Value Extraction Area(Regular expression only) Choose whether to extract the value from the Header or Body of the response.
11. Regular ExpressionSpecify the regular expression.

Example: name="authenticity_token" value="([^"]+)"
12. Group NumberIn a regular expression (a generic syntax for representing sets of characters), specify which capture group’s string to extract.

Example: 1

Variable registration dialog in Shisho Cloud, showing “Cookie” selected as extraction method

If you want to extract all cookies that are set, you can configure it without writing a regular expression.

(Bear authentication, etc.)

Verifying Configured Values

Highlight on “Test” at the bottom of the “Step 2” card within Shisho Cloud

Once you finish configuring the login process, click “(13) Test” to verify whether Shisho Cloud can log in successfully.

2-2. Sending a Request to an External Service (Auth0, etc.)

Within the “Step” card, highlight on the external service selection in Shisho Cloud

Currently, Shisho Cloud supports authentication with external services such as Auth0, Firebase, and Cognito. Configure the user login credentials for the target application, as well as any related settings for the external service.

3. Registering Authentication Information from the Login Process in Shisho Cloud

In this step, we’ll explain how to set the authentication information obtained from the login process—outlined in “1. Choose Where to Set the Authentication Information”—to either Cookie or a custom header, according to what was selected, and how to use the info obtained in “2. Retrieve Authentication Information from the Login Process.”

In the login process information screen, highlight (1) Insert Variable, (2) Update Interval, and (3) Endpoints accessible after login
Click “(1) Insert Variable,” then follow the steps described in “About Variables” to insert a value extracted from the login process.

Configuring the Authentication Information Update Interval

Next, set the (2) update interval for the session or authentication token according to when it expires so that Shisho Cloud can always retrieve the latest authentication information.

4. Test Connectivity with a Screen Accessible After Login

Once all settings are complete, test (3) whether an endpoint that requires login can be accessed successfully.

info

The endpoint you set here is only used to confirm that authentication succeeded. Any endpoint requiring login will do—feel free to choose one arbitrarily.

If the access test succeeds for an endpoint behind the login, your authentication settings are complete.

Configure Crawling Settings

For MPA (Multi-Page Application)

Shisho Cloud provides an automatic crawling feature to discover endpoints of the target application. After entering the top page of your application, Shisho Cloud follows the links and forms found on the page to crawl the application automatically and discover its endpoints.

For more details, see MPA: Automatic Crawling.

For SPA (Single-Page Application)

If you are using a Single-Page Application built with React or Vue, or an AJAX-based application, Shisho Cloud can discover endpoints by importing from OpenAPI Specifications, GraphQL Schemas, or Connect RPC.

See the following for more details:

Once you finish configuring crawling settings, your web application setup is complete.

Frequently Asked Questions

I’m Having Trouble Extracting Variables

It’s possible your regular expression syntax is incorrect. When you run a test, you can see the values of variables extracted at each step. Also, if you’re supposed to extract from the Body but you set the extraction target to the Header, extraction will fail. Double-check where you’re extracting from.

Combining Variables and Fixed Values in Request Parameters

You can specify something like Bear {{.VariableName}}.
If you only need to send a fixed value, you could specify something like FixedValue.

Click “(1) Insert Variable,” then follow the procedure outlined in “About Variables” to create a variable.
Define the variable using “Extract all set Cookies” as the extraction method, then specify it in your request.