If your website has areas that require authentication, you may provide Probely with credentials to log in to your website. By doing this, you're enabling Probely to run a scan that might reveal any vulnerabilities in deeper parts of your app.
It is recommended that you create a user for the tests since Probely will submit forms and click buttons, which might "pollute" the account.
After you've successfully added a target, you can follow these steps:
Go to the login configuration of the target
Add the URL of the login page
Add your first Field Name and Field Value pair (usually email or username)
Add your second Field Name and Field Value pair (usually password)
(Optional) Add the Submit Button
Save and Enable
This article describes these steps in detail.
Step 1: Go to the login configuration
In the Probely app, go to the login configuration of a target as follows:
Select the TARGETS tab to see the list of targets.
On the row of the target you wish to configure the login, click on the cogwheel to open its settings.
Click on the AUTHENTICATION tab and click on the LOGIN FORM button to display the configuration form.
Step 2: Add the URL of the login page
Start by specifying the URL where the authentication process begins. Most of the time, this is the page URL where you enter the credentials.
If you are using a Single Sign-On or you need to visit a particular URL that redirects you to the page where the credentials are entered, you need to specify that initial URL.
Examples:
If your target's main page (
https://example.com/
) shows the form where the credentials are entered, the login form URL should behttps://example.com/
If the path that shows the form is
/login
, the login form URL should behttps://example.com/login
If a specific path, when the user is not logged in, redirects to another path or to a different URL to show the login form, the initial URL should be the initial one.
/
or/login
redirects to/login-page?redirectTo=%2fdashboard
, the form login URL should behttps://example.com/
orhttps://example.com/login
, respectively/
or/login
redirects tohttps://auth0.example.com
, the form login URL should behttps://example.com/
orhttps://example.com/login
, respectively
Step 3: Add your first Field Name and Field Value pair (usually email or username)
The field name is the HTML "name" attribute of the particular field. Usually, it's "email" or "username". We also support the value of the ID attribute and the element CSS selector as well.
To see the name of a field, you need to Inspect the field (Right-click -> Inspect).
For the following example:
The field name could be: username
, username_id
, form.login-form input[type="email"]
or #username_id
.
The field value is the actual username or email (for example, [email protected] or ExampleUser1).
Step 4: Add your second Field Name and Field Value pair (usually password)
Once you click ADD, you can repeat the process to add more pairs of Field Name and Field Value. Here, you'd usually put the password field and value like you did to the username. If there are more pairs you need to set up when logging in, repeat this process as many times as needed.
Step 5: (Optional) Add the Submit Button
Optionally, you may want to identify the button that needs to be clicked to conclude the login process and submit the login form.
โ
Generally, this is not necessary, but sometimes it can be very helpful.
For example, if the submit button is outside of your <form>
tag, or especially if your login inputs are not inside a <form>
tag, then the submit_button
must be defined so that the right button is clicked.
For that, add a new field in the target settings, with submit_button
in the name, and the respective button CSS selector in the value (it must be a CSS selector) as, for example, #login-form-container button[type="submit"]
.
Step 6: Save and Enable
Once you are done, click SAVE AND ENABLE, and you should be ready to start scanning!
You can disable/enable this authentication anytime with the Off/On toggle button or delete the configuration using the DELETE button.
Read the following articles to learn more about other authentication schemes for your targets: