Skip to main content

How to add a recorded login

An automated alternative for adding authentication credentials to Intruder

Written by Naomi Purvis

⚠️ Important: If using admin credentials, it is recommended to exercise caution

πŸ’‘Tip: Record in an incognito tab, using Developer Tools on the latest version of Google Chrome.

πŸ’‘Tip: Start the recording on a blank tab before you visit the webpage

ℹ️ Note: If your login button is accessible via hover, you'll need to start the recording from the login page itself.


Benefits of using recorded login

  • Can be used for form-based, session-based, and header-based authentication

  • Supports web apps with SSO (excluding Google SSO – due to MFA being enforced)

  • Supports apps where authentication is handled by a different domain
    ​


How to generate the file

  1. Open an incognito window in Google Chrome

  2. Go to your target domain (in this case, we're using intruder.io)

  3. Click on the settings icon (ellipsis) in the top right corner > click More tools > Developer tools:
    ​

  4. If you don't have Recorder in the top navigation, click the ellipses (...) > More tools > Recorder

  5. Click Create a new recording:

  6. Give the file a name (in this case, we've chosen 'Login file 1' > Hit Start recording:
    ​

  7. Log in using the credentials of your chosen user (make sure it's not an admin). If you have any cookie warnings, make sure to accept them before logging in, too!
    ​

  8. Once you've logged in, hit End recording:
    ​

  9. At this point, we highly recommend replaying the recording in an incognito window to ensure that it worked as expected. To do that, just open a new incognito window, ellipses> More tools > Developer tools > Recorder (as above). Once there, you should see your file > Press play.
    ​

  10. Once you're happy with the recording, you can export as JSON:
    ​


How to upload the file

Head to targets and search for the target:
​

Click Add authentication:
​

Select 'Recorded Login' (top one):
​

Fill in the details, upload the file > hit Save and verify authentication.
​

Entrypoint URL

The entrypoint URL tells the scanner where to start its crawling and scanning. The scanner will crawl and test anything it finds under the root of that entrypoint, so if you add 'http://vulnerablesite.intrud.es/DVWA' as your entrypoint URL, we'll permit anything discovered under 'http://vulnerablesite.intrud.es/*' to be scanned.

In this example, we are starting our scan from the root page of our application (http://44.203.103.184/).

Logout URL

In our example, we specify that there is a Logout URL that we want to exclude from scanning. The easiest way to find this would be to login to the application and find the Logout button on your page (it may say Log Out or Sign Out or something similar). If you hover over the button you'll see the Logout URL at the bottom of your page, you can also right click and 'Save link address', then paste into Intruder.
​
If that's not working, you can right-click on the logout button and click on Inspect:
​

In our example, the Logout URL is set to logout.php , but it needs to be fully-qualified by adding the path to the current page in front of the page. Which you can see in the screenshot above http://vulnerablesite.intrud.es/DVWA/logout.php:
​

Note that if you have a Logout URL that includes query parameters (e.g. http://www.example.com/login?action=logout), then we would recommend always including the Logged In Pattern (optional) parameter.

Allowed Domains

This section lets you specify additional domains that your application depends on, so those requests are permitted to complete during a scan. The scanner will also run a limited set of security checks on those network requests. Please check out this article for more information.

Verifying the authentication

In progress

Before you get any responses, it'll look like this:
​

Complete

Given how nuanced apps are, we don't presume the accuracy of authentication – instead, we show you what the scanner encountered and allow you to decide whether it has worked or not (the screenshot in particular is helpful, as you can use that to gauge if the scanner can access pages behind the login).

You could get any combination of results, here are just a few:
​

Managing authentication(s)

Once you've completed this information, you will see the authentication appear under the Authentications tab.
​

To disable an authentication

Click ... > Disable:

And the modal will update to this:

To re-enable, just click the ellipsis again > Enable:
​

To check the status of the authentication

Click the ellipsis > Check status:
​

The next modal to pop up will be this one, where you can confirm the authentication, edit the details, or close the modal and disable the authentication.
​

Related Articles
How to add form-based authentication
How to add HTTP authentication
How to add header-based authentication
How to add session cookie authentication
How to add OAuth 2.0 authentication
Did this answer your question?