In targets with authentication, Probely scans must log in to reach areas reserved for authenticated users to scan them for vulnerabilities.
The problem
When running scans on a target with a login form, Probely fails to log in.
Troubleshoot the problem
To troubleshoot this problem, go through the following steps to identify the possible causes and respective solutions to fix it.
Step 1: Test the current credentials
Test if the current credentials configured in the target settings are still valid, as follows:
In the Probely app, go to the TARGETS tab.
Identify the target in the list and click on the cogwheel to open its settings.
In the AUTHENTICATION tab, check the LOGIN FORM configuration, get the URL of the login form, and the current login credentials.
Open a browser and type the target’s login URL.
Log in with the current credentials.
If the login fails, check the following possible causes and apply the respective solution:
Cause | Solution |
The credentials are invalid. | Obtain valid login credentials and update them in the target settings. Learn more about How to set up Target Authentication with a Login Form. |
The credentials expired. | Obtain new login credentials and update them in the target settings. Learn more about How to set up Target Authentication with a Login Form. |
Step 2: Test the login flow
Test if the login flow is still a login form, as follows:
Open a browser and type the target’s login URL.
If the login is not a login form, the target authentication fails.
Check the following possible causes and apply the respective solution:
Cause | Solution |
The login flow is not a login form but a complex login (e.g., multi-step login). | Configure the target authentication to use a login sequence, which supports complex logins. Learn more about How to set up Target Authentication with a Login Sequence. |
Step 3: Check the field names
Check the values configured in field names in the target authentication with a login form as follows
In the Probely app, go to the TARGETS tab.
Identify the target in the list and click on the cogwheel to open its settings.
In the AUTHENTICATION tab, go to the LOGIN FORM configuration to see the configured field names (typically, one for the username and another for the password).
Open a browser and type the target’s login URL.
Right-click and select Inspect to see the attributes of the input fields on the login form.
In the LOGIN FORM configuration, check if the values set in the field names for the input fields contain a valid “id”, “name”, or CSS selector from the login form.
If the values configured in the field names are not valid, Probely scans cannot authenticate.
Check the following possible causes, and apply the respective solution:
Cause | Solution |
The value configured in a field name does not contain a valid “id”, “name”, or CSS selector that identifies that input field in the login form. | Go to the target authentication settings and set the value of the field name with the “id,” “name,” or the CSS selector that uniquely identifies that input field in the login form. Learn more about How to set up Target Authentication with a Login Form. |
Step 4: Test for a blocking WAF
Test if there is a WAF blocking access to the authentication page with the login form as follows:
Open a browser in incognito mode and type the target’s URL.
Go to the authentication page with the login form.
If a WAF blocks access to the authentication page with the login form, Probely scans cannot authenticate.
Check the following possible causes and apply the respective solution:
Cause | Solution |
A WAF is blocking access to the authentication page with the login form. | Add Probely’s IPs to the WAF’s whitelist. Learn more about How to configure Probely’s IPs in WAFs. |
After following these steps, identifying the causes, and applying the respective solutions, scans should be able to log in to your target.
Learn more about this subject in the following articles: