All Collections
Quick how to's!
Authentication
How to set up Target Authentication with a Login Form
How to set up Target Authentication with a Login Form

Learn how to configure Probely to scan behind your target's login page.

Nuno Loureiro avatar
Written by Nuno Loureiro
Updated over a week ago

If your website has areas that require authentication, you may provide Probely with credentials to log in to your website. By doing this, you're enabling Probely to run a scan that might reveal any vulnerabilities in deeper parts of your app.

It is recommended that you create a user for the tests since Probely will submit forms and click buttons, which might "pollute" the account.

After you've successfully added a target, you can follow these steps:

  1. Go to the login configuration of the target

  2. Add the URL of the login page

  3. Add your first Field Name and Field Value pair (usually email or username)

  4. Add your second Field Name and Field Value pair (usually password)

  5. (Optional) Add the Submit Button

  6. Save and Enable

This article describes these steps in detail.

Step 1: Go to the login configuration

In the Probely app, go to the login configuration of a target as follows:

  1. Select the TARGETS tab to see the list of targets.

  2. On the row of the target you wish to configure the login, click on the cogwheel to open its settings.

  3. Click on the AUTHENTICATION tab and click on the LOGIN FORM button to display the configuration form.

Step 2: Add the URL of the login page

Start by specifying the URL where the authentication process begins. Most of the time, this is the page URL where you enter the credentials.

If you are using a Single Sign-On or you need to visit a particular URL that redirects you to the page where the credentials are entered, you need to specify that initial URL.

Examples:

  • If your target's main page (https://example.com/) shows the form where the credentials are entered, the login form URL should be https://example.com/

  • If the path that shows the form is /login, the login form URL should be https://example.com/login

  • If a specific path, when the user is not logged in, redirects to another path or to a different URL to show the login form, the initial URL should be the initial one.

    • / or /login redirects to /login-page?redirectTo=%2fdashboard, the form login URL should be https://example.com/ or https://example.com/login, respectively

    • / or /login redirects to https://auth0.example.com, the form login URL should be https://example.com/ or https://example.com/login, respectively

Step 3: Add your first Field Name and Field Value pair (usually email or username)

The field name is the HTML "name" attribute of the particular field. Usually, it's "email" or "username". We also support the value of the ID attribute and the element CSS selector as well.

To see the name of a field, you need to Inspect the field (Right-click -> Inspect).

For the following example:

The field name could be: username, username_id, form.login-form input[type="email"] or #username_id.

The field value is the actual username or email (for example, [email protected] or ExampleUser1).

Step 4: Add your second Field Name and Field Value pair (usually password)

Once you click ADD, you can repeat the process to add more pairs of Field Name and Field Value. Here, you'd usually put the password field and value like you did to the username. If there are more pairs you need to set up when logging in, repeat this process as many times as needed.

Step 5: (Optional) Add the Submit Button

Optionally, you may want to identify the button that needs to be clicked to conclude the login process and submit the login form.
โ€‹
Generally, this is not necessary, but sometimes it can be very helpful.

For example, if the submit button is outside of your <form> tag, or especially if your login inputs are not inside a <form> tag, then the submit_button must be defined so that the right button is clicked.
For that, add a new field in the target settings, with submit_button in the name, and the respective button CSS selector in the value (it must be a CSS selector) as, for example, #login-form-container button[type="submit"].

Step 6: Save and Enable

Once you are done, click SAVE AND ENABLE, and you should be ready to start scanning!

You can disable/enable this authentication anytime with the Off/On toggle button or delete the configuration using the DELETE button.

Read the following articles to learn more about other authentication schemes for your targets:

Did this answer your question?