Our recorded login feature allows you to scan your web application behind login. To use recorded login, you need to record the login sequence using our Chrome extension, then upload it to your Detectify account. The scanner will then replay the sequence to log in during your scan.
A few things to keep in mind before you get started:
- Unless you want to login with Google Sign In, make sure you record your sequence in incognito mode. Recording in Incognito is preferred since it guarantees there are no previous actions in the browser (e.g. clicking "remember me", closing a cookie content pop-up and similar) that might influence the recording
- Don't use the admin login credentials if scanning a production environment as we will crawl and click on everything we find on our way
- Disallow the logout path so that we do not click it and log ourselves out. You can disallow the logout path in your Application Scan Settings under "Which paths/URLs must we avoid?"
- Conduct the login scenario slightly slower to allow us take screenshots throughout the flow
- Once logged in, you do not have to navigate around the platform - you can finalise the recording as soon as you're inside and the crawler will do the rest for you!
Troubleshooting information is available at the end of this article.
There is also an article containing technical documentation for the service handling Recorded Login, called Trails, here.
1. Install the Detectify Chrome Extension
To get started, install our Chrome extension.
When the extension is installed, you will see the Detectify icon in your address bar.
2. Record the login sequence
Navigate to your domain in Chrome and click on the Detectify icon in the address bar to open up the extension. In order to record the sequence like the scanner will execute it, open a new tab in incognito mode — this will make sure that any settings from existing cookies or sessions does not conflict with the recorded login sequence replay later. Also, make sure to open any new tabs before you start recording. When you are ready to record the sequence, click Start recording.
Navigate to your login page and log in the same way as you normally do.
3. Finalize the recording
When you have successfully logged in and the landing page has loaded properly, open up the extension again and select Finalize recording.
4. Review the recording
Clicking on Finalize recording will bring you to a review state where all the recorded requests are listed. You can deselect any steps that do not belong to the login scenario. When you are done, select Download to download a file with the recorded login sequence.
5. Upload and enable Recorded Login
You are now ready to upload the login sequence. To do this, log in to your Detectify account, select your scan profile and navigate to Scanning --> Application Scanning Authentication --> Recorded login --> Add Recorded Login file.
You will be prompted to upload the login sequence file. Once you have uploaded the file, click save.
6. Run a test!
Your login sequence is in place and you are ready to run a test! To check whether the scanner was able to log in successfully, look for the Recorded User Events Succeeded finding in your report.
If your report states Recorded User Events Succeeded, but the scan results are not what you were expecting (for example, if you received unexpected error responses in your Crawled URLs finding), the scanner might have logged out from your site during the crawling phase. To mitigate this issue, please disallow (avoid) all of your logout paths on the Scan Settings page.
If your report states Recorded User Events Failed, your sequence is not being replayed correctly. The most common reasons for this are the following:
1. You opened a new tab after you started the recording. This is typically indicated with the following error message:
> Trail error: Failed executing Commands on step 2 / n for Selenium 1.0 open
To correct this error, record a new login sequence without opening any new tabs while recording.
2. You didn't record the login sequence in incognito mode.
Existing cookies or sessions interfere with the way the site is rendered, making it not display certain content, such as banners or pop-ups for accepting cookies or signing up for newsletters etc. This results in the replay not being able to perform the same order of actions in the sequence since not all elements are readily available for interaction. This is typically indicated with one of the following error messages:
> Trail error: Failed executing Commands on step n / n for UserAction 1.0 mouseClick
> Trail error: Failed executing Commands on step n / n for UserAction 1.0 blur
> Trail error: Failed executing Commands on step n / n for UserAction 1.0 focus
> Trail error: Failed executing Commands on step n / n for UserAction 1.0 type
To correct these errors, record a new login sequence in incognito mode.
3. You have modified your site since the recorded login, and the scanner now interprets this as the wrong scan target. This is typically indicated with one of the following error messages:
> Trail error: Failed executing Sanity Checks step 1 / 2: Selenium 1.0 verifyTitle
> Trail error: Failed executing Sanity Checks step 1 / 2: Selenium 1.0 verifyURL
To correct these errors, either record a new login sequence or revert the changes made to your site.
In the Recorded User Events Failed finding, you will also find any screenshots generated during the login sequence that can help you in troubleshooting. For example, if the screenshots displays an error page, you might need to allow the scanner traffic to your site.