How to set up target authentication with a login sequence
When a target has a complex login flow (like a multi-step login), you can configure the target so that Probely can authenticate to reach and scan areas reserved for authenticated users only.
Step 1: Record the login sequence
Start by recording the login sequence for your target and download the JSON. For that, see this tutorial on how to record a sequence with Probely's Sequence Recorder Plugin.
Step 2: Add the login sequence to the target
Add the JSON with the steps of the login sequence to the target by providing the following information:
- The name of the login sequence (in
"name"
). - The JSON string with the steps of the login sequence (in
"content"
). - Indicate that the sequence is for login purposes (
"type": "login"
). - Enable the login sequence (
"enabled": true
).
In this request, we use an existing target with the identifier 3st5ZKNYGV1r
and called the sequence My login sequence
.
curl https://api.probely.com/targets/3st5ZKNYGV1r/sequences/' \
-X POST
-H 'Content-Type: application/json' \
-H 'Authorization: JWT <YOUR_API_TOKEN>' \
-d '{
"name":"My login sequence",
"content": "<JSON string with the login sequence>",
"type": "login",
"enabled": true
}'
The response will return the newly added login sequence.
{
"id": "2itd2g2XVmkw",
"name": "My login sequence",
"requires_authentication": false,
"type": "login",
"enabled": true,
"index": null
}
Step 3: Enable target authentication with the 2FA login sequence
With the 2FA login sequence added, you must update the target (3st5ZKNYGV1r
in this tutorial) to enable authentication with it:
- Indicate the target authentication is with a login sequence (
"has_sequence_login":true
). - Ensure the target authentication with a login form is disabled (
"has_form_login":false
). - Enable the target authentication (
"auth_enabled": true
).
curl https://api.probely.com/targets/3st5ZKNYGV1r/ \
-X PATCH \
-H 'Content-Type: application/json' \
-H 'Authorization: JWT <YOUR_API_TOKEN>' \
-d '{
"site":{
"has_sequence_login":true,
"has_form_login":false,
"auth_enabled": true
}
}'
The response will return the target updated with the latest changes.
{
"id": "3st5ZKNYGV1r",
"site": {
"id": "4EtuJYp5Qsau",
"name": "My example",
"desc": "",
"url": "https://example.com",
"host": "example.com",
"has_form_login": false,
...
"has_sequence_login": true,
...
"auth_enabled": true,
...
},
...
}
Now, with the target authentication set, Probely scans on the target will be able to reach restricted areas meant for authenticated users only.