When entering a Form-based authentication it is best to visit the target login page (the page where your login form exists), as this is where most of information we need to gather can be found.
Entrypoint URL
The entrypoint URL tells the scanner where it should start all of it's crawling and scanning from. Most often this will be the root of your web application. Which in our example would be http://178.79.154.6/
. Please note, there is not a path associated with the URL just a /
on the end, which you should include if you want the full application to be scanned.
There are times when you won't want to scan from the root of the application, instead you might want to scan a subset. For example, when you have multiple applications running on the same target, but which live at different paths. For our example:
http://178.79.154.6/DVWA/
http://178.79.154.6/MyOtherApp/
http://178.79.154.6/SecretApp/
In this case, you would want to add 3 separate authentications each using one of the paths in the list.
Login Page URL
The Login Page URL is the URL at which your login form can be found. In this example our login page is at http://178.79.154.6/DVWA/login.php
(which can be seen in the URL bar at the top of the following screenshot):
Login Request URL
This is the URL to which your application sends the data that users have entered into the form. This can be found by right-clicking on the form (such as on the username field), and then selecting Inspect
:
You are looking for the form
tag which encloses the username and password fields on your login form. The form
tag will have an action
field and the value of that field is what you're looking for. In our example, the value is login.php
, which can be seen below:
In our example we see login.php
is the value we see in the form. We need to add the prefix that we made a note of in our Login Page URL section above. So, the value we need to enter into our Login Request URL field is http://178.79.154.6/DVWA/login.php
. You may notice that this is the same as our Login Page URL from the previous section - this may not be the case in your app.
Logout URL
The easiest way to find this would be to login to the application and find the Logout button on your page (it may say Log Out
or Sign Out
or something similar). If you hover over the button you'll see the Logout URL in in the bottom of your page, you can also right click and 'Save link address', then paste into Intruder.
If that's not working, you can right-click on the logout button and click on Inspect
:
In our example the Logout URL is set to logout.php
but it needs to be fully-qualified by adding the path to the current page in front of the page. Which you can see in the screenshot above http://178.79.154.6/DVWA/logout.php
:
Note that if you have a Logout URL that includes query parameters (e.g. http://www.example.com/login?action=logout
), then we would recommend always including the Logged In Pattern (optional) parameter.
Logged In Pattern
In our example above an appropriate value for the Logged In Pattern
would be Logout
as it appears on every page when a user is authenticated.
Username Field
Logout of the application and go to your Login Page URL, right-click on the username field:
You are looking for the value of the name
field of the username input
which in our example is username
. When you mouse over the input
field in the source code it should highlight the username
text entry box on your screen.
Password Field
If you're not already, go to your Login Page URL and right-click on the password field:
You are looking for the value of the name
field of the password input
which in our example is password
, it could be named something different in your app. When you mouse over the input
field in the source code it should highlight the password
text entry box on your screen. Additionally, the password field is usually always set to type="password"
:
CSRF Token Field
Anti-CSRF tokens are usually found in forms which submit data to the application. But, it might be possible that your application doesn't have an anti-CSRF token at all.
Anti-CSRF tokens will usually have the following properties:
It will be an
input
field in the same form as your login fieldsThe
input
field will have atype
and it will be set to"hidden"
, which you can see in our example below astype="hidden"
The
input
will have avalue
and that value will usually be a long random block of textThe
input
will have aname
but there is no specification which dictates what the name should be, it can be anything. But, the name may include the termcsrf
,authenticity
,verification
ortoken
.
In our example below you can see the field that fits all these properties is the user_token
field, and this is our CSRF Token Field
:
Additional Parameters
While searching your form you may find additional input
fields. For example, when you view the Intruder Portal login form you will see another input
field with the name
commit
and the value
set to Log in
which can be seen below:
You need to add these fields to the Additional parameters
section when adding your authentication. If you don't then your authentication may fail. So, for the Intruder Portal Login form we would need to add the following to our authentication:
Username & Password
Both of these are mandatory. They should be the values that you have configured for your user in your application.