If your website has areas that require authentication, you may provide Probely with credentials to log in to your website. By doing this, you're enabling Probely to run a scan that might reveal any vulnerabilities in deeper parts of your app.
It is recommended that you create a user for the tests since Probely will submit forms and click buttons, which might "pollute" the account.
After you've added a successfully verified target, you can follow these steps:
Step 1: Go to your target Settings
On your target settings, access the AUTHENTICATION tab, locate the LOGIN CONFIGURATION section, and expand LOGIN FORM:
Step 2: Add the URL of the login page
Specify the URL where you start the authentication process. Most of the time, this is the URL of the page where you enter the credentials.
If you are using a Single Sign-On or you need to visit a particular URL that redirects you to the page where the credentials are entered, you need to specify that initial URL.
Examples:
If your target's main page (
https://example.com/
) shows the form where the credentials are entered, the login form URL should behttps://example.com/
If the path that shows the form is
/login
, the login form URL should behttps://example.com/login
If a specific path, when the user is not logged in, redirects to another path or to a different URL to show the login form, the initial URL should be the initial one.
/
or/login
redirects to/login-page?redirectTo=%2fdashboard
, the form login URL should behttps://example.com/
orhttps://example.com/login
, respectively/
or/login
redirects tohttps://auth0.example.com
, the form login URL should behttps://example.com/
orhttps://example.com/login
, respectively
Step 3: Add your first Field Name and Value (usually email or username)
The field name is the HTML "name" attribute of the particular field. Usually, it's "email" or "username". We also support the value of the ID attribute and the element CSS selector as well.
To see the name of a field, you need to Inspect the field (Right-click -> Inspect).
For the following example:
The field name could be: username
, username_id
, form.login-form input[type="email"]
or #username_id
.
The field value is the actual username or email (for example, [email protected] or ExampleUser1).
Step 4: Add your second Field Name and Value (usually password)
Once you click add, you will get two more fields to fill out. Here, you'd usually put the password field and value the same way you did to the username.
Step 5: (Optional) Add the Submit Button
Optionally, you may want to identify the button that needs to be clicked to conclude the login process and submit the login form.
Generally, this is not necessary, but sometimes it can be very helpful.
For example, if the submit button is outside of your <form>
tag, or especially if your login inputs are not inside a <form>
tag, then the submit_button
must be defined so that the right button is clicked.
For that, add a new field in the target settings, with submit_button
in the name, and the respective button CSS selector in the value (it must be a CSS selector) as, for example, #login-form-container button[type="submit"]
.
Step 6: Save
Once you are done, click SAVE, and you should be ready to start scanning!
Alternatively, if your application has a multi-step login (if you need to follow several steps in order to log in), you should use the "login sequence" option instead. Learn more about it here.