Skip to content Skip to main navigation Skip to footer

Recorded Authentication

Recorded or Recording-Based Authentication is a newly added method that can help you when scanning websites with a non-standard authentication.

Complex web applications require the ability to load dynamic pages and components. For an automated scanner to be able to authenticate on a specific target, it is necessary to fulfill these requirements. The Recorded method uses Selenium technology to record user events when logging into the account used for scanning. This way you can record the authentication process and upload the recording to the website scanner.


Before starting the scan:

1) Install the Selenium browser extension

The Recorded authenticated method only works for Chrome or Firefox.

2) Enable “Allow in incognito”

Right Click on the “Selenium IDE” extension > Managed Extensions > Enable “Allow in incognito”.

This operation is mandatory because the recording has to start in a clean environment, with no cookies or other sessions.

3) Record and Save Authentication

Open a new tab in incognito mode and click on the extension. Choose Record a new test in a new project in the extension pop-up.

  • Enter a Project name
  • Enter as BaseUrl the LOGIN URL
  • Click Start Recording
  • Make the login steps: enter username, enter password, click login, etc.
  • Get back to the Extension pop-up and click Stop Recording
Stop the recording after you complete the authentication process
You will see an overlay with “Selenium IDE is recording” until you click Stop Recording

You will get prompted to name the test. Enter the name and then click Save Project.

Selenium IDE Save Recording

We recommend you log out of the target application before starting the scan. Make sure to save the URL of the landing page after authentication before logging out. This will be used as the target URL for the Website Scanner.


Starting the scan:

Scanning after login with Pentest-Tools.com using a recorded authentication method with Selenium IDE

1) Add your target URL

This should be the URL of the landing page after authentication. Make sure you’re logged out of the target application before starting the scan.

2) Upload the recording

Upload the .side file saved in the Recorded tab.

3) Check authentication

You can use the check authentication method or start a scan directly, however, we recommend you first check that the recording is producing a successful login.

The check authentication can take a bit to complete, don’t leave the page or refresh while this is running. You will see a screenshot of the application after logging in, if you believe that it is correct, you can proceed with the scan.

Warning! The check authentication functionality is temporarily disabled if you are scanning from the targets page, but the start scan option is still available. We recommend you do this sort of scan directly from the website scanner tool page so you can properly check that the authentication was successful.

4) Start the Scan

Click “I am authorized to scan this target” then start your scan.


Need more info about Authenticated scans and why you should be performing this type of scan? Read our article in the Learning Center:

Was This Article Helpful?

1
Related Articles

If you didn't find what you were looking for, browse the categories below or contact us now!

We'd really love to get you the answer you're looking for. If the article Recorded Authentication doesn't contain the information you're seeking, please get in touch with us directly:

Contact us »