Login Start Free Trial Login Start Free Trial
 

Script Types Overview

HawkScan supports five script types, each enabling different customization capabilities. Each of these types has an extensive page of documentation under the Script Types nav.

Authentication Scripts

Purpose: Manage complex or custom authentication flows.

Use Cases: Simulate logging into web apps with multi-step authentication mechanisms, automate multi-step or 3rd-party domain token retrieval for APIs, handle OAuth flows, implement API key authentication.

When to Use: Your application uses authentication mechanisms not supported by HawkScan’s built-in authentication methods, or requires complex multi-step processes.

Learn More: Authentication Script Documentation

Session Management Scripts

Purpose: Implement custom session management mechanisms and token handling.

Use Cases: Handle scenarios where sessions rely on unique tokens or identifiers, implement token rotation logic for API testing, manage JWT tokens with expiration and renewal, handle multi-token scenarios.

When to Use: Your application uses custom session tokens, requires token expiration detection and re-authentication, or needs to inject authorization headers dynamically.

Learn More: Session Management Script Documentation

HTTP Sender Scripts

Purpose: Intercept and manipulate HTTP requests and responses.

Use Cases: Add custom headers or modify request payloads, implement request signing (e.g., AWS SigV4), add request/response logging for debugging, implement rate limiting or request throttling.

When to Use: You need to modify every request HawkScan sends, add dynamic headers based on request content, or implement custom signing mechanisms.

Learn More: HTTP Sender Script Documentation

Active Scanning Scripts

Purpose: Create custom vulnerability detection rules that actively test endpoints.

Use Cases: Enhance scanning capabilities with custom payloads for specific vulnerabilities, test for business-specific injection flaws not covered by built-in rules, implement parameter fuzzing with dynamic payloads, detect multi-tenancy violations.

When to Use: You need to test for application-specific vulnerabilities, business logic flaws, or custom injection patterns unique to your environment.

Learn More: Active Scanning Script Documentation

Passive Scanning Scripts

Purpose: Analyze HTTP traffic passively without sending additional requests.

Use Cases: Detect information leaks like sensitive headers or error messages, flag responses exposing server details, identify sensitive data disclosure (PII, API keys, credentials), validate security headers (CSP, HSTS, CORS).

When to Use: You want to analyze response patterns, detect sensitive data exposure, or validate compliance requirements without additional request overhead.

Learn More: Passive Scanning Script Documentation