DynamicDS scans evaluate websites at runtime and often need to log in to sites, therefore, when requesting a scan you have to provide the login information. Applications can have one or a combination of the following authentication methods:
If you know your application requires authentication, on the Login Instructions page,
select Required. If you want Veracode to automatically log in to your applications, you
can provide the username and password credentials. and Veracode can automatically log in
to your application during the DynamicDS scan.
If your application uses a customized or complex form for its login, you record and upload a login sequence that Veracode uses to automatically log in to the application. Veracode supports the Selenium IDE and Kantu for Chrome web browser automation tools for recording the exact interactions you want the scan to have with the target website. By using a web browser automation tool, Veracode can support sites with complex login requirements, including multiple login fields, logins that require selecting additional values (e.g. department IDs), sites that require logging into another site prior to using the web application, and other scenarios that are more complex than a simple user name/password combination. In addition to using a login sequence script, Veracode uses login verification information to avoid accidental logouts during a crawl.
- Select the Forms-based tab on the Login Instructions page.
- Select the Use forms-based login checkbox.
- If you have already performed a forms-based authentication and want to use a login form that you previously configured, select Use last scan configuration in the Login Script field, and then click Save and Continue.
- To create new instructions, do one of the following, depending on whether or not
you enabled advanced mode in the scan configuration.
- If advanced mode is disabled, click Choose File in
the Login Script field and browse to the location of your recorded sequence
- If advanced mode is enabled, click Choose File in
the Login Script and Logout Script fields and browse to the locations of
your recorded sequence scripts. Once you have selected your scripts, click
Save and Continue.
- If advanced mode is disabled, click Choose File in the Login Script field and browse to the location of your recorded sequence script.
- In the Verification URL field, enter a URL that the scan engine confirms it can reach once it has successfully logged in to the application. Be sure that this URL is one of the allowed hosts you specified in the Dynamic Scan Configuration page if you chose to restrict the scan to specific hosts.
- In the Verification Text field, enter a string of text that is only available on the verification URL page when you are logged in (e.g. "Log out" or "My Account").
- If you would prefer to use logout detection instead of a verification URL and text, select Logout Detection. A logout is detected when the scan encounters a specified URL, text string, or code string.
- Click Save and Continue.
Troubleshoot Selenium Scripts
- Verify that the script uses supported Selenium commands.
- Verify that the script correctly identifies the login page.
- Verify that the login script does not depend on elements of your page that may change frequently.
- Ensure you delete all the cookies in the browser and clear the cache before running a script.
- Ensure that you open Selenium IDE after the login page has finished loading.
- Do not change tabs or do anything outside of the login process while recording a login script.
- Be sure to stop the recording when you are finished logging in, and delete any steps at the end that might have been recorded by mistake. Typically the last step in the login script is a Selenium clickAndWait command.
- If you have amended the saved script HTML file in any way, you need to re-record it without editing the file.
DynamicDS scans evaluate websites at runtime and often need to log in to sites that use forms-based authentication. Veracode offers an auto-login feature that greatly simplifies the login process, but you can also use a login script.
To automate logins, you can use Selenium IDE to pre-record the interactions you want the scan to have with the target website. Selenium IDE is a Firefox plugin that you must download from a Firefox browser session, using the link provided on the Veracode Platform.
Due to a change in the compatibility between Firefox and Selenium, you may experience difficulties creating new Selenium scripts. Existing scripts already in production are not affected by this incompatibility. You cannot successfully reproduce form-based login and crawl scripts from Selenium IDE within your browser window if you are using the latest Firefox browser.
To work around this incompatibility, you can use Firefox 54 or earlier when creating and testing your form-based login scripts and crawl scripts through the Selenium IDE. Otherwise, you can pass the credentials through the auto-login option (and submit scans irrespective of login failures in the prescan stage). Veracode can also create accurate login scripts on behalf of customers.
Basic Auth Login
Select Basic Auth Login to provide information for a site that uses basic or
browser-based authentication (where the browser prompts you for credentials in its own
pop-up window). You can use a browser-based type of login by itself or in combination
with forms-based authentication. Enter the username and password you want the scan to
use. Optionally, you can enter the domain name, then click Save &
Client Certificate Authentication
Select Client Certificate Authentication if your target website requires a certificate to
permit access. Browse to the location of the necessary certificate and upload it in the
Client Certificate field. Then click Save & Continue.
Upload the certificate necessary for accessing the site.