Skip to main content

Overview

Adding authentication credentials to your targets enables MindFort’s red team agents to test authenticated areas of your applications. This provides deeper security coverage by assessing user-specific functionality, protected pages, and authorization controls that would otherwise be inaccessible.
Security First: Credentials are encrypted when stored and only transmitted to assessment agents at runtime. However, always use dedicated demo accounts rather than live user credentials.

Why Authentication Matters

Enhanced Assessment Coverage

Without Authentication:
  • Testing limited to public pages and endpoints
  • Missing vulnerabilities in user dashboards, admin panels
  • No assessment of authorization controls or privilege escalation
  • Limited business logic testing
With Authentication:
  • Comprehensive testing of authenticated user flows
  • Assessment of role-based access controls
  • Discovery of privilege escalation vulnerabilities
  • Testing of user-specific data handling and session management

Red Team Advantage

MindFort’s red team agents can:
  • Navigate complex authentication workflows
  • Test multi-step business processes
  • Assess authorization boundaries between user roles
  • Identify vulnerabilities in authenticated API endpoints

Authentication Methods

MindFort supports multiple authentication approaches to match your application’s login system. Best for: Traditional login forms, most web applications
1

Create Demo Account

Create a dedicated test account in your application:
  • Use a non-sensitive username (e.g., mindfort-test-user)
  • Set a simple, non-sensitive password
  • Assign appropriate permissions for testing scope
  • Never use live user accounts or sensitive passwords
2

Add Credentials to Target

In your target configuration:
  • Authentication Type: Select “Username & Password”
  • Username: Enter your demo account username
  • Password: Enter the demo account password
  • Login Instructions: Specify where and how to log in (see below)
3

Test Credentials

Verify the credentials work by manually logging in before starting assessments
Security Best Practice: Always create dedicated demo accounts for security testing. Never use real user accounts, admin credentials, or passwords that are used elsewhere.
Best for: Applications using Stytch, Auth0, or similar providers with email-based authentication
1

Create Agent Account

Create a test account in your authentication system:
  • Email Address: agent@mindfort.ai
  • User Permissions: Set appropriate testing permissions
  • Account Type: Demo/test account (not production user)
2

Configure Target Credentials

  • Authentication Type: Select “Magic Link” from dropdown
  • Email: Enter agent@mindfort.ai
  • Login Instructions: Provide detailed login flow instructions
3

Verify Email Access

Ensure the agent@mindfort.ai account can receive and access magic link emails in your system
Magic Link Requirements: The agent account must use the email address agent@mindfort.ai for MindFort’s automated authentication system to work properly.

Login Instructions

The Login Instructions field is critical for efficient assessments. Clear instructions help agents quickly navigate to authentication pages without wasting time exploring.

Essential Information to Include

Specify exact URLs:
  • Main site: https://yourapp.com
  • Login page: https://yourapp.com/login
  • Or subdomain: https://auth.yourapp.com
Example Instructions:
Login page is at https://myapp.com/login
Click the "Sign In" button in the top-right corner to access login form
Describe the login process:
1. Navigate to https://myapp.com/login
2. Enter username and password in the form
3. Click "Login" button
4. You'll be redirected to https://myapp.com/dashboard
5. Look for "Welcome, [username]" to confirm successful login
Include any unique aspects:
- Two-factor authentication is DISABLED for this test account
- After login, click "Skip Setup" to bypass onboarding
- The account has limited demo data for testing
- Session expires after 2 hours of inactivity
Guide agents to key areas:
After successful login:
- Main dashboard: /dashboard
- User settings: /profile
- Admin panel: /admin (if test account has access)
- Key features to test: /orders, /billing, /settings

Login Instructions Examples

Example 1: Standard Web Application

Target: https://ecommerce-demo.com
Login Process:
1. Go to https://ecommerce-demo.com/signin
2. Enter username: demo-tester
3. Enter password: TestPass123
4. Click "Sign In" button
5. Skip the "Complete Your Profile" popup by clicking "Later"
6. You should see the main dashboard at /dashboard

Key areas to test:
- Product catalog: /products
- Shopping cart: /cart
- Order history: /orders
- Account settings: /account

Target: https://saas-app.com
Login Process:
1. Go to https://saas-app.com/auth
2. Enter email: agent@mindfort.ai
3. Click "Send Magic Link"
4. Check email and click the login link
5. You'll be redirected to the workspace at /workspace

Note: Test account has "Viewer" role permissions
Demo workspace has sample data for testing

Example 3: Subdomain Authentication

Target: https://app.myservice.com
Login Process:
1. Main login is at https://auth.myservice.com/login
2. Use username: mindfort-agent
3. Use password: SecureTest456
4. After login, you'll be redirected to https://app.myservice.com/home
5. The navigation menu is in the left sidebar

Important: The test account can access all features except "Admin Settings"

Security Best Practices

Demo Account Creation

Appropriate Access Levels:
  • Standard User: For testing user-level functionality
  • Limited Admin: For testing administrative features (if needed)
  • Read-Only: For sensitive areas where write access isn’t needed
  • Feature-Specific: Access to specific modules or features being tested
Avoid:
  • Full administrative privileges unless absolutely necessary
  • Access to real customer data or payment systems
  • Permissions to modify production settings or configurations
Isolation Strategies:
  • Use separate demo database or sandbox environment
  • Limit account to test data only
  • Implement rate limiting for demo accounts
  • Set automatic account expiration if appropriate
Data Safety:
  • Never connect demo accounts to real payment methods
  • Avoid access to actual customer information
  • Use synthetic test data for realistic workflows
Secure Password Practices:
  • Use unique passwords not used elsewhere
  • Make passwords complex but not sensitive/personal
  • Document credentials securely for your team
  • Rotate demo account passwords regularly
Examples of Good Test Passwords:
  • TestAccount123!
  • DemoUser2024$
  • SecurityTest456#
Avoid:
  • Real user passwords
  • Company passwords
  • Personal passwords
  • Shared production credentials

Credential Storage Security

MindFort Security Measures:
  • Encryption at Rest: All stored credentials are encrypted using industry-standard encryption
  • Secure Transmission: Credentials only transmitted to agents at assessment runtime
  • Access Controls: Strict access controls on credential storage systems
  • Audit Logging: All credential access is logged for security monitoring
Your Responsibilities:
  • Create dedicated demo accounts for testing
  • Use non-sensitive passwords
  • Regularly review and rotate test account credentials
  • Monitor demo account usage for any unexpected activity

Testing and Validation

Credential Verification

Before starting assessments, verify your authentication setup:
1

Manual Login Test

  • Use the exact credentials and instructions provided
  • Navigate through the login process step-by-step
  • Confirm successful authentication and access to key features
2

Session Behavior

  • Test session duration and timeout behavior
  • Verify logout functionality works properly
  • Check if multi-factor authentication is properly disabled
3

Permission Validation

  • Confirm test account has appropriate access levels
  • Verify access to intended features and pages
  • Test that account cannot access restricted areas
4

Assessment Integration

  • Start a small Turbo assessment to test authentication
  • Monitor initial assessment progress for authentication success
  • Review assessment results for proper authenticated coverage

Common Authentication Issues

Symptoms: Assessment starts but agents spend time finding login pageSolutions:
  • Provide exact URLs for authentication pages
  • Include step-by-step navigation instructions
  • Specify any non-obvious UI elements (buttons, links, forms)
  • Test instructions by having a colleague follow them exactly
Symptoms: Assessment fails to authenticate or gets stuckSolutions:
  • Verify credentials work with manual login
  • Check for special characters that might cause issues
  • Ensure account isn’t locked, expired, or disabled
  • Confirm password complexity requirements are met
Symptoms: Assessment loses authentication mid-scanSolutions:
  • Document session timeout behavior in instructions
  • Ensure demo account has reasonable session duration
  • Consider using accounts with extended session timeouts
  • Implement session refresh mechanisms if possible

Advanced Configuration

Multi-Role Testing

For comprehensive authorization testing, consider creating multiple demo accounts: Standard User Account:
  • Username: mindfort-user
  • Permissions: Regular user features
  • Purpose: Test user-level functionality and data access
Admin Account (if needed):
  • Username: mindfort-admin
  • Permissions: Administrative features
  • Purpose: Test admin functionality and privilege escalation
Limited Account:
  • Username: mindfort-limited
  • Permissions: Restricted access
  • Purpose: Test authorization boundaries and access controls

API Authentication

For applications with API endpoints requiring authentication: API Key Method:
  • Store API keys in the credentials section
  • Provide instructions on how APIs expect authentication
  • Document rate limits and usage restrictions
Bearer Token Method:
  • Include instructions for token generation/refresh
  • Specify token lifetime and renewal process
  • Document API endpoint authentication requirements

Single Sign-On (SSO) Integration

For applications using SSO providers: Setup Requirements:
  • Work with your SSO administrator to create test account
  • Ensure test account can authenticate through SSO flow
  • Document any special SSO configuration requirements
  • Test SSO flow thoroughly before assessment

Maintenance and Updates

Regular Review Schedule

Monthly Tasks:
  • Test all stored credentials for continued validity
  • Review demo account permissions and access levels
  • Update login instructions if application UI changes
  • Verify email addresses for magic link authentication
Quarterly Tasks:
  • Rotate demo account passwords
  • Review and update account permissions as needed
  • Audit demo account usage and activity logs
  • Update authentication documentation and procedures

Credential Lifecycle Management

When to Update Credentials:
  • Application authentication flow changes
  • Demo account passwords expire or need rotation
  • User interface changes affect login instructions
  • New features require different permission levels
Documentation Updates:
  • Keep login instructions current with UI changes
  • Update screenshots or visual guides as needed
  • Maintain record of credential changes for audit purposes
  • Notify team members of credential updates

Getting Help

Authentication Support

If you encounter issues with authentication setup:
  • In-App Chat: Use the MindFort support chat for real-time assistance with credential configuration
  • Email Support: Send detailed authentication questions to support@mindfort.ai
  • Include Details: Provide target information, authentication method, and specific error messages

Best Practices Consultation

For complex authentication scenarios:
  • Multi-tenant applications with complex user hierarchies
  • Custom authentication systems not covered in standard methods
  • High-security environments requiring special consideration
  • Compliance requirements affecting demo account creation
Security Reminder: When seeking support, never share actual production credentials or sensitive authentication details. Focus on configuration guidance and best practices.
Remember: Proper authentication setup significantly improves the quality and coverage of your red team assessments. Take time to configure demo accounts and login instructions thoroughly for the best results.
I