All Collections
Quick how to's!
Authentication
How to set up Target Authentication (Login Form)
How to set up Target Authentication (Login Form)

How to configure Probely to scan behind your target's login page?

Nuno Loureiro avatar
Written by Nuno Loureiro
Updated over a week ago

If your website has areas that require authentication, you may provide Probely with credentials to log in to your website. By doing this, you're enabling Probely to run a scan that might reveal any vulnerabilities in deeper parts of your app.

It is recommended that you create a user for the tests since Probely will submit forms and click buttons, which might "pollute" the account.

After you've added a successfully verified target, you can follow these steps:

Step 1: Go to your target Settings

On your target settings, access the AUTHENTICATION tab, locate the LOGIN CONFIGURATION section, and expand LOGIN FORM:

Step 2: Add the URL of the login page

Specify the URL where you start the authentication process. Most of the time, this is the URL of the page where you enter the credentials.

If you are using a Single Sign-On or you need to visit a particular URL that redirects you to the page where the credentials are entered, you need to specify that initial URL.

Examples:

  • If your target's main page (https://example.com/) shows the form where the credentials are entered, the login form URL should be https://example.com/

  • If the path that shows the form is /login, the login form URL should be https://example.com/login

  • If a specific path, when the user is not logged in, redirects to another path or to a different URL to show the login form, the initial URL should be the initial one.

    • / or /login redirects to /login-page?redirectTo=%2fdashboard, the form login URL should be https://example.com/ or https://example.com/login, respectively

    • / or /login redirects to https://auth0.example.com, the form login URL should be https://example.com/ or https://example.com/login, respectively

Step 3: Add your first Field Name and Value (usually email or username)

The field name is the HTML "name" attribute of the particular field. Usually, it's "email" or "username". We also support the value of the ID attribute and the element CSS selector as well.

To see the name of a field, you need to Inspect the field (Right-click -> Inspect).

For the following example:

The field name could be: username, username_id, form.login-form input[type="email"] or #username_id.

The field value is the actual username or email (for example, [email protected] or ExampleUser1).

Step 4: Add your second Field Name and Value (usually password)

Once you click add, you will get two more fields to fill out. Here, you'd usually put the password field and value the same way you did to the username.

Step 5: (Optional) Add the Submit Button

Optionally, you may want to identify the button that needs to be clicked to conclude the login process and submit the login form.

Generally, this is not necessary, but sometimes it can be very helpful.

For example, if the submit button is outside of your <form> tag, or especially if your login inputs are not inside a <form> tag, then the submit_button must be defined so that the right button is clicked.
For that, add a new field in the target settings, with submit_button in the name, and the respective button CSS selector in the value (it must be a CSS selector) as, for example, #login-form-container button[type="submit"].

Step 6: Save

Once you are done, click SAVE, and you should be ready to start scanning!

Alternatively, if your application has a multi-step login (if you need to follow several steps in order to log in), you should use the "login sequence" option instead. Learn more about it here.

Did this answer your question?