SUPPORT

24/5 Hotline Support Service

+44 (0)20 3588 3841

Open a Support Ticket

support@netsparker.com

Custom Scripts for Form Authentication in Netsparker Standard

Occasionally, you will need to modify Netsparker's automatic authentication so that it is suited to your website. Custom scripting support enables you to automate your website’s form authentication process. Here are some sample scenarios:

  • If your login form is not a regular login form with two input fields, you may need to select a department from a box or a dropdown menu
  • The submit button on login form is not a regular HTML button
  • There are multiple forms in the login form page and Netsparker is unable to detect the correct form (for example, Netsparker locates the signup form on the same page)
  • The login form page is not present in the DOM by the time the page loads, but you need to click a link to make login form appear on the page, usually in a virtual login dialog
  • The authentication process consists of several page navigations, where you first visit a page to get a cookie, another to enter the username and yet another to enter the password
  • Netsparker is unable to locate the login form for various other reasons

Custom scripts for form authentication in Netsparker can be written in JavaScript. Netsparker executes the code in the context of form authentication pages, where you can access and manipulate the page DOM. The code is executed by the time the page is fully loaded. You can use any HTML API that modern browsers support to locate the login form elements and complete them.

Custom Script Editor

The Custom Script editor is where you author your custom scripts. It consists of three parts: a script editor, an embedded browser view and a developer tools panel.

Script Editor

Write your scripts in the Script Editor as illustrated. Any HTML, JavaScript or DOM API that is supported in a modern browser is supported here too. In addition, you can use some of the helper functions provided by Netsparker in the netsparker.auth namespace. These functions will help you to complete input values and click elements, for example.

Browser View

The browser view on the right helps you preview the login form page and generate code for elements on authentication pages. This window loads the login form URL when opened.

  • You can right-click elements on the page to view the context menu in order to use code generation options.
  • You can generate code that either works immediately or works after a delay using the Generate element code and Generate element code (delay 2000ms) menu items respectively. When you click these menu items, a single line of code will be appended to the script editor on the left.
  • If you have generated code for an input value, a JavaScript code that sets a value will be generated.
  • If you generate code for an element like a button or an anchor, a JavaScript code that clicks that element will be generated.
  • You can also customize the code that is automatically generated. For example, you can replace the variable username generated for a setValueByQuery call with a hardcoded JavaScript string like john.doe (use of dynamic variables like username and password is encouraged though, if you mean to supply credential values). There are two variables username and password available to your scripts as mentioned above. These variables will contain the credentials of the active persona at the time of execution and by using these variables, your script will be generic enough to support multiple persona feature.

Developer Tools Panel

The developer tools panel right below the browser view contains all sorts of web development helper tabs. They work in the context of the currently loaded page in the browser view and enabled you to:

  • Inspect the current states of the HTML elements in the Elements tab
  • Monitor the HTTP requests in the Network tab
  • See logs and execute script code in the Console tab

Toolbar Buttons

This table lists and explains the toolbar buttons in this window.

Buttons

Explanations

Load Login Form (F4)

Load Login Form (F4): By pressing this button, a new browser view instance will be created and the specified login form URL will be loaded into this browser view. No custom script code is executed when you press this button and any cookie value will vanish from the previous browser view.

Test Script (F5)

Click to begin executing the custom script code you have written. Your login form URL will be loaded into a new browser view and the script execution will start once the login form has completely loaded. If you have several pages of custom script, they will be executed in the order they are written. You can view the status of the current page and the status of script execution next to the address bar above the browser view.

Clear

Click to clear all the code in the current page script editor.

Templates

Click to view sample script templates. Select one to load a predefined script. You can start with these sample codes and tweak this script to suit your needs.

Generate optimized code check box

Below to the browser view is checked by default. When enabled the Generate element menu items will try to generate most optimized and shortest CSS query code possible. For example if you have an HTML element with an id value, since id values in an HTML document uniquely identifies an element, a very concise CSS query selector with this value will be generated. In some cases, you may have randomly generated id values for your elements and having different values each time the page is loaded, hence in these cases, you may want to uncheck this option to generate an alternative CSS query that is not using the id value.

Executing Scripts on Multiple Pages

You can write and use custom scripts if your form authentication consists of multiple pages or has redirects. For most of these scenarios, a single page of custom script will help you authenticate with the website. This screenshot shows a form authentication scenario where the username (an email address in this example) is entered on the first page and the password is entered on the next page.

Since there is a brand new document context after each page is loaded, you need to enter your custom script code to separate pages dedicated to that page. Netsparker provides you with the opportunity to execute your custom script code after each page navigation during the form authentication process. So, all you need to do is create script pages on this window and write the corresponding piece of code for that page.

Form Authentication Troubleshooting, Tips and Tricks

Q: My login form is dynamically rendered inside an inline dialog and Netsparker cannot find it, how can I fill that login form?

Write a custom script that first clicks the link or button that triggers the dialog and populate the login form after a delay:

netsparker.auth.clickByQuery('#header > div.row > a:nth-child(1)'); // Trigger the login dialog
netsparker.auth.setValueByQuery('#email', username, 2000);
netsparker.auth.setValueByQuery('#password', password, 2000);
netsparker.auth.clickByQuery('#login-button', 3000);

The code above will first trigger the login dialog (first line), fill username & password after 2 seconds and click the login button in dialog on 3rd second.

Q: My login form has some other fields along with username and password, how can I fill that login form?

A: Write custom script to fill username and password from current persona variables, hardcode the rest of the credentials to your script:

netsparker.auth.setValueByQuery('#Username', username);
netsparker.auth.setValueByQuery('#Password', password);
netsparker.auth.setValueByQuery('#LoginCode', '4815162342'); // Hard-coded extra credential
netsparker.auth.clickByQuery('#LoginButton');

Q: How can I provide custom cookies that are required during form authentication?

A: Specify the cookies in the Custom Cookies section of the General section of your current scan profile. These cookies will be issued during the form authentication requests.

Q: How can I provide custom header values or change the user agent string during form authentication?

A: You can create a scan policy with custom header values and/or modified user agent strings and select it on the current profile during form authentication.

Q: My site requires me to visit some pages before displaying the login form URL and I cannot use the login form URL directly, how should I authenticate?

A: Use the first page that is required to be visited as the Login form URL. Then, using custom scripting, write code that performs navigation for each page that needs to be visited. You can click the HTML elements via scripting or simply use code like the following to just perform the navigation:

document.location = 'https://mysite.com/login/next_page.htm';

Q: My site performs several redirects before reaching the login form, how can I write custom script code for the login form?

A: Create custom script pages for each redirect leaving the script editor empty, and write your custom script for login form on the last page. Netsparker won't run any code for pages that perform the redirect.

Q: I need to run some script code after a certain amount of time, how can I do that?

A: Use the built-in setTimeout JavaScript function:

setTimeout(function() {
   // Write your JavaScript code here to execute after 2000 milliseconds
}, 2000);

TIP: Use the functions provided by Netsparker Form Authentication API (netsparker.auth) to set input values or click elements. These functions do not simply set values or click elements, but also simulates any necessary JavaScript events that are triggered when a user performs these tasks. Some JavaScript frameworks require these events to be fired so simply setting input values or clicking elements may not be enough.

TIP: You do not necessarily need to click the Login button on your page. If you have a JavaScript function that performs the login, you can call that function after populating the login form:

netsparker.auth.setValueByQuery('#Username', username);
netsparker.auth.setValueByQuery('#Password', password);
MyApp.LoginController.DoLogin();

Known Issues

  • Netsparker does not have scripting support for popups opened during form authentication process. Please use the URL loaded into the popup window as your Login form URL if that is possible.
Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO