Our recorded login feature allows you to scan your web application behind login. To use recorded login, you need to record the login sequence using our Chrome extension, then upload it to your authentication settings. The scanner will then replay the sequence to log in during your scan.
A few things to keep in mind before you get started:
Unless you want to login with Google Sign In, make sure you record your sequence in incognito mode. Recording in Incognito is preferred since it guarantees there are no previous actions in the browser (e.g. clicking "remember me", closing a cookie content pop-up and similar) that might influence the recording
Don't use the admin login credentials if scanning a production environment as we will crawl and click on everything we find on our way
Disallow the logout path so that we do not click it and log ourselves out. You can disallow the logout path in your Application Scan Settings under "Which paths/URLs must we avoid?"
Conduct the login scenario slightly slower to allow us take screenshots throughout the flow
Once logged in, you do not have to navigate around the platform - you can finalize the recording as soon as you're inside and the crawler will do the rest for you!
Troubleshooting information is available at the end of this article.
There is also an article containing technical documentation for the service handling Recorded Login, called Trails, here.
1. Install the Detectify Recorder Chrome Extension
To get started, install our Chrome extension.
When the extension is installed, you will see the Detectify icon in the Chrome extensions menu. In this menu, you can pin it to the right of your address bar by clicking the pin icon.
2. Record the login sequence
Navigate to your domain in Chrome and click on the Detectify icon to the right of your address bar, or in the Chrome extensions menu.
Make sure the URL is where you want to begin, then click Start recording.
Log in the same way as you normally do.
3. Finalize the recording
When you have successfully logged in and the landing page has loaded properly, open up the extension again and select Stop and review recording.
4. Review the recording
Clicking on Stop and review recording will bring you to a review state where all the recorded requests are listed. Confirm that all the needed steps are listed. When you are done, select Download to download a file with the recorded login steps.
5. Upload and enable Recorded Login
You are now ready to upload the login sequence. To do this, log in to your Detectify account, select your scan profile and navigate to Scanning Settings --> Application Scanning Authentication --> Recorded login --> Add Recorded Login file.
You will be prompted to upload the login sequence file. Once you have uploaded the file, Validation of the file will start. After a few minutes, you will see the results of the validation.
6. Scan with Recorded Login
Your login sequence is in place and you are ready to run scan with Recorded Login.
After the scan has run for 10-15 minutes, you can check whether the scanner was able to log in successfully. Look for the Recorded Login Succeeded finding in your report.
Troubleshooting
If your report states Recorded Login Succeeded, but the scan results are not what you were expecting (for example, if you received unexpected error responses in your Crawled URLs finding), the scanner might have logged out from your site during the crawling phase. To mitigate this issue, please disallow (avoid) all of your logout paths on the Scan Settings page.
If your report states Recorded Login Failed, your sequence is not being replayed correctly.
The most common reason for this is the following:
You have modified your site since the recorded login, and the scanner now interprets this as the wrong scan target. This is typically indicated with one of the following error messages:
> Trail error: Failed executing Sanity Checks step 1 / 2: Selenium 1.0 verifyTitle
> Trail error: Failed executing Sanity Checks step 1 / 2: Selenium 1.0 verifyURL
To correct these errors, either record a new login sequence or revert the changes made to your site.
In the Recorded Login Failed finding, you will also find any screenshots generated during the login sequence that can help you in troubleshooting. For example, if the screenshots display an error page, you might need to allow the scanner traffic to your site.