Recorded or Recording-Based Authentication is a newly added method that can help you when scanning websites with a non-standard authentication.
Complex web applications require the ability to load dynamic pages and components. For an automated scanner to be able to authenticate on a specific target, it is necessary to fulfill these requirements. The Recorded method uses Selenium technology to record user events when logging into the account used for scanning. This way you can record the authentication process and upload the recording to the website scanner.
Before starting the scan:
1) Install the Selenium browser extension
The Recorded authenticated method only works for Chrome or Firefox.
2) Enable “Allow in incognito”
Right Click on the “Selenium IDE” extension > Managed Extensions > Enable “Allow in incognito”.
This operation is mandatory because the recording has to start in a clean environment, with no cookies or other sessions.
3) Record and Save Authentication
Open a new tab in incognito mode and click on the extension. Choose Record a new test in a new project in the extension pop-up.
- Enter a Project name
- Enter as BaseUrl the LOGIN URL
- Click Start Recording
- Make the login steps: enter username, enter password, click login, etc.
- Make sure to stop the recording (“Stop Recording” button) from the Extension Pop-up window (Selenium IDE) exactly after submitting the login form (clicking Login for example) and your target has loaded. Because of this, no other additional operations that are not required in the authentication process will be stored in the recording. You can verify that no operations are stored in the recording by observing that the last recorded was the submit/login button.
You will get prompted to name the test. Enter the name and then click Save Project.
We recommend you log out of the target application before starting the scan. Make sure to save the URL of the landing page after authentication before logging out. This will be used as the target URL for the Website Scanner.
Starting the scan:
1) Add your target URL
This should be the URL of the landing page after authentication. Make sure you’re logged out of the target application before starting the scan.
2) Upload the recording
Upload the .side file saved in the Recorded tab.
3) Check authentication
You can use the check authentication method or start a scan directly, however, we recommend you first check that the recording is producing a successful login.
The check authentication can take a bit to complete, don’t leave the page or refresh while this is running. You will see a screenshot of the application after logging in, if you believe that it is correct, you can proceed with the scan.
Warning! The check authentication functionality is temporarily disabled if you are scanning from the targets page, but the start scan option is still available. We recommend you do this sort of scan directly from the website scanner tool page so you can properly check that the authentication was successful.
4) Start the Scan
Click “I am authorized to scan this target” then start your scan.
Need more info about Authenticated scans and why you should be performing this type of scan? Read our article in the Learning Center: