Getting Started

Scan with Login Sequence

Authenticated Scan

ZeroThreat Chrome Extension supports authenticated scans using Login Sequences to access and analyze parts of your web application that require user login. This ensures full coverage, including protected pages, user dashboards, admin panels, and any other content behind a login screen.

This extension simplifies the process of capturing login sequence. By recording your interactions during login, ZeroThreat ensures these workflows are replicated during scanning, allowing the scanner to access and test all areas of your application.

Using the Chrome Extension to record a login sequence is a straightforward process. It involves selecting your target application, navigating through the login process, and tagging the necessary actions (like login, logout, and authenticated requests). Once recorded, this sequence can be used to perform an authenticated scan, ensuring a comprehensive assessment of your application’s security.

How to perform an Authenticated Scan with Login Sequence?

Before you start
Ensure that the latest version of ZeroThreat Chrome Recorder extension is installed on your chrome browser.

1. Select Your Target

  • From the ZeroThreat dashboard, click Scan the Target and choose the web application you wish to scan. Next change the scanning server if required.
Thumbnail

Scan the Target

2. Under the Authenticated Scan Section

  • Now under the Scan Method, click on Start New Authenticated Scan() button. This will launch your target web application in a new tab, along with the ZeroThreat Recorder Chrome window.
Thumbnail

Dashboard

Minimize the Recorder Window
You can minimize the Recorder window, but keep it open throughout the process.

Visit Troubleshooting: Extension Not Opening if the extension doesn't open automatically in new tab along with target.

3. Configure the Recorder

  • Once the extension is loaded, start by clicking on the Stored Sequence Authentication button. This feature allows ZeroThreat to store and replay your authentication details, making it ideal for scheduled scans and DevOps automation.
Thumbnail

Choose Scan Authentication Method

  • Next you’ll have two options Full Scan or Scan Navigation Sequence Only. A Full Scan covers the entire web application, while a navigation sequence-only scan focuses solely on the pages you visit during recording.
Thumbnail

Choose Scan type

  • Click the Start Recording () button to begin recording. The ZeroThreat Recorder will capture all your actions as you interact with the application.
Thumbnail

Sequence Recording Started

4. Login and Navigate the target application

  • Now Log in to the target application using your credentials.
Thumbnail

Login

  • After logging in, navigate few authenticated areas of the target application. The Recorder will capture all these actions, which are crucial for scanning protected sections of the app.

Authenticated Section

Avoid performing any non-essential actions during this session to ensure only relevant interactions are recorded.
  • Once you have navigated few authenticated sections, log out of the target application.

Logout

  • Click on Stop Recording () to stop the recording.

5. Configure the Template Information

After stopping, an overview and configuration for the template will open.

Thumbnail

Review Recorded Template Information

Here configure the following:

  • Name the Template: Assign a meaningful name to your recording for easy reference later.
Thumbnail

Authentication Sequence Name

  • Choose the Content Rendering Type: Select whether the application uses server-side rendering (e.g., WordPress, PHP, ASP.NET) or client-side rendering (e.g., Angular, React, Vue).
Thumbnail

Rendering Engine Type

  • Optionally, exclude certain hosts from being scanned. This is useful for skipping hosts with sensitive data or third-party integrations.
Thumbnail

Allowed Hosts

  • The next step is Authentication Page Marking. By default, ZeroThreat automatically marks: one request for login, one for an authenticated page, and one for logout. This helps the scanner perform more thorough scanning.
Thumbnail

Authentication Page Marking

  • If needed, switch to the Custom option to manually tag these requests yourself:
    • First, select the login request as "Login.
      Thumbnail

      Tag Login Request

    • Then, select any request accessible only after login as "Authorized"
      Thumbnail

      Tag Authenticated Request

    • Lastly, select the logout request as "Logout." If you don’t see the logout request, you can also mark the page from where the logout action was performed. In our case we logged out from the batch-management page so we mark that as logout.
      Thumbnail

      Tag Logout Request

If your logout endpoint doesn’t show up in the recorded requests, don’t worry. Simply mark the last request from where you logged out of your application. This ensures proper tracking of the session flow.

6. Review and Finalize the Recorded Data

After reviewing the recording information you will have two options.

Thumbnail

Save Template

  • Click Save and Exit () to store the recording sequence for later use.
  • Click Save and Start Scan () to launch the scan immediately using your selected scan server.

7. Monitor the Scan

The scan will start immediately and you can track its progress and view results in the Scans section or Recent Scans section in the ZeroThreat portal.

Thumbnail

Recent Scans

Tips & Cautions

  • Accurate Tagging: Be sure to correctly tag the login, authenticated, and log-out HTTP requests. This ensures that the scanner performs a complete and accurate scan of all protected areas.
  • Avoid Non-Essential Actions: During the recording session, refrain from interacting with any part of the application that isn’t relevant to the authentication flow. This keeps your recorded data focused and clean.
  • Sensitive Data Handling: If your application interacts with third-party services or contains sensitive data, review and adjust the recorded HTTP requests carefully to avoid scanning external or protected resources unintentionally.

Your application has complex authentication mechanism like SSOs, CAPTCHA's, OTP's and more? Check out our guide on Scan MFA App for more advanced security testing.