Complex web applications require the ability to load dynamic pages and components. For an automated scanner to be able to authenticate on a specific target, it is necessary to fulfill these requirements. The Recorded method uses Selenium technology to record user events when logging into the account used for scanning. This way you can record the authentication process and upload the recording to the website scanner.
Before starting the scan:
1) Install the Selenium browser extension
The Recorded authenticated method only works for Chrome or Firefox.
2) Log out of the target application
We recommend you log out of the target application before starting the scan. Make sure to save the URL of the landing page after authentication before logging out. This will be used as the target URL for the Website Scanner.
3) Enable “Allow in incognito”
Right Click on the “Selenium IDE” extension > Managed Extensions > Enable “Allow in incognito”.
This operation is mandatory because the recording has to start in a clean environment, with no cookies or other sessions.
4) Record and Save Authentication
Open a new tab in incognito mode and click on the extension. Choose Record a new test in a new project in the extension pop-up.
- Enter a Project name
- Enter as Base URL the LOGIN URL
- Click Start Recording
- Go through the login process: enter username, enter password, click login, etc.
- Make sure to stop the recording (“Stop Recording” button) from the Extension Pop-up window (Selenium IDE) exactly after submitting the login form (clicking Login for example) and your target has loaded. Because of this, no other additional operations that are not required in the authentication process will be stored in the recording. You can verify that no operations are stored in the recording by observing that the last recorded was the submit/login button.
You will see an overlay with “Selenium IDE is recording” until you click Stop Recording
You will get prompted to name the test. Enter the name and then click Save Project.
Starting the scan:
1) Add your target URL
This should be the URL of the landing page after authentication. Make sure you’re logged out of the target application before starting the scan.
2) Upload the recording
Upload the .side file saved in the Recorded tab.
3) Check authentication
You can use the check authentication method or start a scan directly, however, we recommend you first check that the recording is producing a successful login.
The check authentication can take a bit to complete, don’t leave the page or refresh while this is running. You will see a screenshot of the application after logging in, if you believe that it is correct, you can proceed with the scan.
4) Start the Scan
Click “I am authorized to scan this target” then start your scan.