Test web apps
behind the login
Run 17 specialised security tests against authenticated pages. Store credentials securely with AES-256-GCM encryption and test for SQLi, XSS, IDOR, CSRF, and 13 more vulnerability classes.
No credit card required. Free plan available forever.
17 security modules test the pages attackers actually target
Most real-world vulnerabilities exist behind authentication. Login pages, dashboards, admin panels, and API endpoints are where sensitive data lives and where attackers focus their efforts. SecPortal's authenticated scanning module lets you test these protected surfaces with 17 specialised security checks that cover the OWASP Top 10 and beyond.
Provide your application credentials once and SecPortal handles the rest. The scanner authenticates to your target, crawls accessible pages, and runs each module against the authenticated context. Results include severity ratings, evidence, and actionable remediation guidance — ready to add to your engagement findings with a single click.
All 17 authenticated scan modules
Path Discovery
Crawl authenticated pages to map all accessible routes and endpoints
Security Headers
Verify security headers are present and correctly configured on authenticated responses
Tech Fingerprint
Detect server-side frameworks, middleware, and libraries exposed through authenticated pages
Redirect Analysis
Test for insecure redirects and open redirect vulnerabilities within the authenticated context
SQL Injection
Parameterised payload testing across query strings, form fields, and JSON bodies
Cross-Site Scripting
Reflected and stored XSS detection with context-aware payload generation
JWT Analysis
Algorithm confusion, weak secrets, missing expiry, and signature bypass checks
IDOR
Insecure direct object reference testing by manipulating resource identifiers
Path Traversal
Directory traversal and local file inclusion testing across input vectors
Sensitive Data Exposure
Detect PII, API keys, tokens, and secrets in authenticated responses
HTTP Methods
Test for dangerous HTTP methods like PUT, DELETE, TRACE, and OPTIONS misconfigurations
Error Handling
Trigger error conditions to detect verbose stack traces and debug information
Session Security
Cookie flags, session fixation, timeout enforcement, and concurrent session handling
SSRF
Server-side request forgery testing against URL parameters and webhook inputs
Broken Access Control
Horizontal and vertical privilege escalation testing across user roles
CSRF
Cross-site request forgery token validation and SameSite cookie attribute checks
Command Injection
OS command injection testing through input fields and parameter values
Four credential types supported
SecPortal supports the authentication methods you encounter in real engagements. Choose the credential type that matches your target application and the scanner handles session management automatically.
Cookie
Paste session cookies directly for applications using cookie-based authentication
Bearer Token
Supply JWT or OAuth tokens for API-first and SPA applications
Basic Auth
HTTP Basic Authentication with username and password for legacy applications
Form Login
Provide login URL, username field, password field, and credentials for form-based authentication
AES-256-GCM credential encryption
Security scanners need credentials to work, but storing credentials introduces risk. SecPortal encrypts all stored credentials using AES-256-GCM, an authenticated encryption algorithm that provides both confidentiality and integrity. Credentials are decrypted only at scan execution time and are never persisted in plaintext.
- All credentials encrypted at rest using AES-256-GCM with workspace-scoped encryption keys
- Credentials are decrypted only at scan time and never written to logs or scan results
- Credential storage is optional — you can provide credentials per-scan without saving
- Workspace owners can revoke stored credentials at any time from the settings panel
- Scans run in isolated containers with no cross-tenant data access
Related use cases
Test what attackers target
Most vulnerabilities hide behind authentication. Start testing the pages that matter.
No credit card required. Free plan available forever.