What is a Screened (Authenticated) Web Application?
Many applications will not be fully exposed on the public internet without some kind of authentication to access certain functionality. A common example might be the ordering and payment section of an online store, where an account must be created, and authentication (typically a password) used to gain access to a specific account.
Can AppCheck Authenticate to a web application and perform authenticated scanning?
Yes. It is necessary to provision a login (unique username/password) for AppCheck to use. This can then be added into a scan configuration, and the scanner will "login" to the website before performing scanning.
When configuring a web application scan, authentication can be provided either in the form of a basic username and password or, preferably, via a Go Script - see A Guide to GoScript for details.
What are the benefits of authenticated web application scanning?
With authenticated scanning configured, AppCheck scan hubs will be able to crawl a much larger application footprint (portion of the website), and build up a broader leaf graph of the application. This means that it could, for instance, discover critical vulnerabilities in the "My Account" section of a website, that would not otherwise be discoverable.
Credentialed Infrastructure Scanning
AppCheck can also perform "credentialed infrastructure scanning", which is similar in that credentials can be provided for infrastructure layer scanning - this takes the form of SSH details (Linux/Unix) or WMI username/password for Windows hosts.
Limitations of web application scanning
Authenticated web application scanning can not work with systems that use 2FA/MFA, unless this can be bypassed or disabled.
For more details see https://appcheck.zendesk.com/hc/en-us/articles/360015780797-Can-AppCheck-perform-authenticated-scanning-on-a-web-application-that-uses-Mutli-Factor-Authentication-MFA-or-Two-Factor-Authentication-2FA-
It is important to remember that a web application scanner such as AppCheck will perform all functionality accessible in order to test it - this may in an authenticated perspective include dummy order creation or deletion for instance, or changing of account/user details.
It is therefore very important to ensure that a unique user account is used dedicated to AppCheck, and if possible that a test/staging instance be scanned before a production instance is scanned.