Skip to main content

How to add a recorded login

An automated alternative for adding authentication credentials to Intruder

Updated this week

⚠️ Important: If using admin credentials, it is recommended to exercise caution

πŸ’‘Tip: Record in an incognito tab, using Developer Tools on the latest version of Google Chrome.

πŸ’‘Tip: Start the recording on a blank tab before you visit the webpage

ℹ️ Note: If your login button is accessible via hover, you'll need to start the recording from the login page itself.


Benefits of using recorded login

  • Can be used for form-based, session-based, and header-based authentication

  • Supports web apps with SSO (excluding Google SSO – due to MFA being enforced)

  • Supports apps where authentication is handled by a different domain
    ​


How to generate the file

  1. Open an incognito window in Google Chrome

  2. Go to your target domain (in this case, we're using intruder.io)

  3. Click on the settings icon (ellipsis) in the top right corner > click More tools > Developer tools:
    ​

  4. If you don't have Recorder in the top navigation, click the ellipses (...) > More tools > Recorder

  5. Click Create a new recording:

  6. Give the file a name (in this case, we've chosen 'Login file 1' > Hit Start recording:
    ​

  7. Log in using the credentials of your chosen user (make sure it's not an admin). If you have any cookie warnings, make sure to accept them before logging in, too!
    ​

  8. Once you've logged in, hit End recording:
    ​

  9. At this point, we highly recommend replaying the recording in an incognito window to ensure that it worked as expected. To do that, just open a new incognito window, ellipses> More tools > Developer tools > Recorder (as above). Once there, you should see your file > Press play.
    ​

  10. Once you're happy with the recording, you can export as JSON:
    ​


How to upload the file

Head to targets and search for the target:
​

Click Add authentication:
​

Select 'Recorded Login' (top one):
​

Fill in the details, upload the file > hit Save and verify authentication.
​

Verifying the authentication

In progress

Before you get any responses, it'll look like this:
​

Complete

Given how nuanced apps are, we don't presume the accuracy of authentication – instead, we show you what the scanner encountered and allow you to decide whether it has worked or not (the screenshot in particular is helpful, as you can use that to gauge if the scanner can access pages behind the login).

You could get any combination of results, here are just a few:
​

Managing authentication(s)

Once you've completed this information, you will see the authentication appear under the Authentications tab.
​

To disable an authentication

Click ... > Disable:

And the modal will update to this:

To re-enable, just click the ellipsis again > Enable:
​

To check the status of the authentication

Click the ellipsis > Check status:
​

The next modal to pop up will be this one, where you can confirm the authentication, edit the details, or close the modal and disable the authentication.
​

Related Articles
How to add form-based authentication
How to add HTTP authentication
How to add header-based authentication
How to add session cookie authentication
How to add OAuth 2.0 authentication
Did this answer your question?