Providing Login Instructions

DynamicDS and DynamicMP

DynamicDS scans evaluate websites at runtime and often need to log in to sites, therefore, when requesting a scan you have to provide the login information. Applications can have one or a combination of the following authentication methods:

Configuring Auto-login

If you know your application requires authentication, on the Login Instructions page, select Required. If you want Veracode to automatically log in to your applications, you can provide the username and password credentials. and Veracode can automatically log in to your application during the DynamicDS scan.

Forms-based Login

If your application uses a customized or complex form for its login, you record and upload a login sequence that Veracode uses to automatically log in to the application. Veracode supports the Selenium IDE automation tool for recording the exact interactions you want the scan to have with the target website. By using a web browser automation tool, Veracode can support sites with complex login requirements, including multiple login fields, logins that require selecting additional values (e.g. department IDs), sites that require logging into another site prior to using the web application, and other scenarios that are more complex than a simple user name/password combination. In addition to using a login sequence script, Veracode uses login verification information to avoid accidental logouts during a crawl.

To provide forms-based login information:
  1. Select the Forms-based tab on the Login Instructions page.
  2. Select the Use forms-based login checkbox.
  3. If you have already performed a forms-based authentication and want to use a login form that you previously configured, select Use last scan configuration in the Login Script field, and then click Save and Continue.
  4. To create new instructions, do one of the following, depending on whether or not you enabled advanced mode in the scan configuration.
    • If advanced mode is disabled, click Choose File in the Login Script field and browse to the location of your recorded sequence script.
    • If advanced mode is enabled, click Choose File in the Login Script and Logout Script fields and browse to the locations of your recorded sequence scripts. Once you have selected your scripts, click Save and Continue.
  5. In the Verification URL field, enter a URL that the scan engine confirms it can reach once it has successfully logged in to the application. Be sure that this URL is one of the allowed hosts you specified in the Dynamic Scan Configuration page if you chose to restrict the scan to specific hosts.
  6. In the Verification Text field, enter a string of text that is only available on the verification URL page when you are logged in (e.g. "Log out" or "My Account").
  7. If you would prefer to use logout detection instead of a verification URL and text, select Logout Detection. A logout is detected when the scan encounters a specified URL, text string, or code string.
  8. Click Save and Continue.

Troubleshoot Selenium Scripts

It is very important that you run your Selenium script again to ensure it works correctly before you upload it to Veracode. If you have problems running your Selenium script again, check the following:
  • Verify that the script uses supported Selenium commands.
  • Verify that the script correctly identifies the login page.
  • Verify that the login script does not depend on elements of your page that may change frequently.
  • Ensure you delete all the cookies in the browser and clear the cache before running a script.
  • Ensure that you open Selenium IDE after the login page has finished loading.
  • Do not change tabs or do anything outside of the login process while recording a login script.
  • Be sure to stop the recording when you are finished logging in, and delete any steps at the end that might have been recorded by mistake. Typically the last step in the login script is a Selenium clickAndWait command.
  • If you have amended the saved script HTML file in any way, you need to re-record it without editing the file.

DynamicDS scans evaluate websites at runtime and often need to log in to sites that use forms-based authentication. Veracode offers an auto-login feature that greatly simplifies the login process, but you can also use a login script.

To automate logins, you can use Selenium IDE to pre-record the interactions you want the scan to have with the target website. Selenium IDE is a Firefox plugin that you must download from a Firefox browser session, using the link provided on the Veracode Platform.

Due to a change in the compatibility between Firefox and Selenium, you may experience difficulties creating new Selenium scripts. Existing scripts already in production are not affected by this incompatibility. You cannot successfully reproduce form-based login and crawl scripts from Selenium IDE within your browser window if you are using the latest Firefox browser.

To work around this incompatibility, you can use Firefox 54 or earlier when creating and testing your form-based login scripts and crawl scripts through the Selenium IDE. Otherwise, you can pass the credentials through the auto-login option (and submit scans irrespective of login failures in the prescan stage). Veracode can also create accurate login scripts on your behalf.

Basic Auth Login

Select Basic Auth Login to provide information for a site that uses basic or browser-based authentication (where the browser prompts you for credentials in its own pop-up window). You can use a browser-based type of login by itself or in combination with forms-based authentication. Enter the username and password you want the scan to use. Optionally, you can enter the domain name, then click Save & Continue.
Enter credentials for browser-based (basic) authorization in the basic auth fields.

Client Certificate Authentication

Select Client Certificate Authentication if your target website requires a certificate to permit access. Browse to the location of the necessary certificate and upload it in the Client Certificate field. Then click Save & Continue.

Upload the certificate necessary for accessing the site.

Downloading Login or Crawl Scripts

You, or any user with access to your application that has the Security Lead role, can download the login or crawl script that you uploaded to your scan configuration. A link to your script is available from the Scan Submission Details section of the scan overview page.

Click the script link in the Scan Submission section of the scan overview page.