Skip to main content

How to set up target authentication with a login form

When a target has a login form, you can configure the target so that Snyk API & Web can authenticate to reach and scan areas reserved for authenticated users only.

Step 1: Get the identifiers of the login form input fields

For Snyk API & Web to fill out the login form, you need to get the identifiers of the credentials input fields in the login form, namely:

  • The identifier of the username input field.
  • The identifier of the password input field.

For more information on obtaining an identifier, see this article on how to obtain a CSS selector.

Step 2: Set up target authentication with a login form

With the login form input fields identified, you can set up the target authentication using the following parameters:

  • Enable target authentication with a login form ("has_form_login": true).
  • The URL of your login form (in "form_login_url").
  • The input fields identifiers and values in your login form (in "form_login").
  • Ensure the target authentication with a login sequence is disabled ("has_sequence_login": false).
  • Enable the target authentication ("auth_enabled": true).

In this request, we use an existing target with the identifier 2oirKt8AKxdr, and the following values:

  • URL of the login form: "http://example.com/login.jsp".
  • The input fields identifiers and values:
    • Username: "uid" and "admin".
    • Password: "passwd" and "admin".
Request
curl https://api.probely.com/targets/2oirKt8AKxdr/ \
  -X PATCH \
  -H 'Content-Type: application/json' \
  -H 'Authorization: JWT <YOUR_API_TOKEN>' \
  -d '{
    "site":{
      "has_form_login":true,
      "form_login_url":"http://example.com/login.jsp",
      "form_login":[
        {   
          "name":"uid",
          "value":"admin"
        },
        {
          "name":"passwd",
          "value":"admin"
        }
      ],
      "has_sequence_login":false,
      "auth_enabled": true
    }
  }'

The response will return the target with the following:

  • The login form is enabled ("has_form_login": true).
  • The login form URL is configured (in "form_login_url").
  • The login credentials are configured (in "form_login").
  • The login sequence is disabled ("has_sequence_login": false).
  • The target authentication is enabled ("auth_enabled": true).
Response
{
  "id": "2oirKt8AKxdr",
  "site": {
    "id": "UYzK6mLxffx9",
    "name": "My Example",
    "desc": "",
    "url": "https://example.com",
    "host": "example.com",
    "has_form_login": true,
    "form_login_url": "http://example.com/login.jsp",
    "form_login_check_pattern": "",
    "form_login": [
      {
        "name": "uid",
        "value": "admin"
      },
      {
        "name": "passwd",
        "value": "admin"
      }
    ],
    ...
    "has_sequence_login": false,
    ...
    "auth_enabled": true,
    ...
  },
  ...
}

Now, with the target authentication set, Snyk API & Web scans on the target will be able to reach restricted areas meant for authenticated users only.