Skip to main content

How to set up target authentication with a login sequence

When a target has a complex login flow (like a multi-step login), you can configure the target so that Probely can authenticate to reach and scan areas reserved for authenticated users only.

Step 1: Record the login sequence

Start by recording the login sequence for your target and download the JSON. For that, see this tutorial on how to record a sequence with Probely's Sequence Recorder Plugin.

Step 2: Add the login sequence to the target

Add the JSON with the steps of the login sequence to the target by providing the following information:

  • The name of the login sequence (in "name").
  • The JSON string with the steps of the login sequence (in "content").
  • Indicate that the sequence is for login purposes ("type": "login").
  • Enable the login sequence ("enabled": true).

In this request, we use an existing target with the identifier 3st5ZKNYGV1r and called the sequence My login sequence.

Request
curl https://api.probely.com/targets/3st5ZKNYGV1r/sequences/' \
  -X POST
  -H 'Content-Type: application/json' \
  -H 'Authorization: JWT <YOUR_API_TOKEN>' \
  -d '{
    "name":"My login sequence",
    "content": "<JSON string with the login sequence>",
    "type": "login",
    "enabled": true
}'

The response will return the newly added login sequence.

Response
{
    "id": "2itd2g2XVmkw",
    "name": "My login sequence",
    "requires_authentication": false,
    "type": "login",
    "enabled": true,
    "index": null
}

Step 3: Enable target authentication with the 2FA login sequence

With the 2FA login sequence added, you must update the target (3st5ZKNYGV1r in this tutorial) to enable authentication with it:

  • Indicate the target authentication is with a login sequence ("has_sequence_login":true).
  • Ensure the target authentication with a login form is disabled ("has_form_login":false).
  • Enable the target authentication ("auth_enabled": true).
Request
curl https://api.probely.com/targets/3st5ZKNYGV1r/ \
  -X PATCH \
  -H 'Content-Type: application/json' \
  -H 'Authorization: JWT <YOUR_API_TOKEN>' \
  -d '{
    "site":{
        "has_sequence_login":true,
        "has_form_login":false,
        "auth_enabled": true
    }
}'

The response will return the target updated with the latest changes.

Response
{
  "id": "3st5ZKNYGV1r",
  "site": {
    "id": "4EtuJYp5Qsau",
    "name": "My example",
    "desc": "",
    "url": "https://example.com",
    "host": "example.com",
    "has_form_login": false,
    ...
    "has_sequence_login": true,
    ...
    "auth_enabled": true,
    ...
  },
  ...
}

Now, with the target authentication set, Probely scans on the target will be able to reach restricted areas meant for authenticated users only.