Occasionally, you will need to modify Netsparker's automatic authentication so that it is suited to your website. Custom scripting support enables you to automate your website’s form authentication process. Here are some sample scenarios:
- If your login form is not a regular login form with two input fields, you may need to select a department from a box or a dropdown menu
- The submit button on login form is not a regular HTML button
- There are multiple forms in the login form page and Netsparker is unable to detect the correct form (for example, Netsparker locates the signup form on the same page)
- The login form page is not present in the DOM by the time the page loads, but you need to click a link to make login form appear on the page, usually in a virtual login dialog
- The authentication process consists of several page navigations, where you first visit a page to get a cookie, another to enter the username and yet another to enter the password
- Netsparker is unable to locate the login form for various other reasons
Custom Script Editor
The Custom Script editor is where you author your custom scripts. It consists of three parts: a script editor, an embedded browser view and a developer tools panel.
A developer tools panel is not available in Netsparker Enterprise.
The browser view on the right helps you preview the login form page and generate code for elements on authentication pages. This window loads the login form URL when opened.
- You can right-click elements on the page to view the context menu in order to use code generation options.
- You can generate code that either works immediately or works after a delay using the Generate element code and Generate element code (delay 2000ms) menu items respectively. When you click these menu items, a single line of code will be appended to the script editor on the left.
Developer Tools Panel
The developer tools panel right below the browser view contains all sorts of web development helper tabs. They work in the context of the currently loaded page in the browser view and enabled you to:
- Inspect the current states of the HTML elements in the Elements tab
- Monitor the HTTP requests in the Network tab
- See logs and execute script code in the Console tab
This table lists and explains the toolbar buttons in this window.
Load Login Form (F4)
Load Login Form (F4): By pressing this button, a new browser view instance will be created and the specified login form URL will be loaded into this browser view. No custom script code is executed when you press this button and any cookie value will vanish from the previous browser view.
Test Script (F5)
Click to begin executing the custom script code you have written. Your login form URL will be loaded into a new browser view and the script execution will start once the login form has completely loaded. If you have several pages of custom script, they will be executed in the order they are written. You can view the status of the current page and the status of script execution next to the address bar above the browser view.
Click to clear all the code in the current page script editor.
Click to view sample script templates. Select one to load a predefined script. You can start with these sample codes and tweak this script to suit your needs.
Generate optimized code check box
Below to the browser view is checked by default. When enabled the Generate element menu items will try to generate most optimized and shortest CSS query code possible. For example if you have an HTML element with an id value, since id values in an HTML document uniquely identifies an element, a very concise CSS query selector with this value will be generated. In some cases, you may have randomly generated id values for your elements and having different values each time the page is loaded, hence in these cases, you may want to uncheck this option to generate an alternative CSS query that is not using the id value.
Executing Scripts on Multiple Pages
You can write and use custom scripts if your form authentication consists of multiple pages or has redirects. For most of these scenarios, a single page of custom script will help you authenticate with the website. This screenshot shows a form authentication scenario where the username (an email address in this example) is entered on the first page and the password is entered on the next page.
Since there is a brand new document context after each page is loaded, you need to enter your custom script code to separate pages dedicated to that page. Netsparker provides you with the opportunity to execute your custom script code after each page navigation during the form authentication process. So, all you need to do is create script pages on this window and write the corresponding piece of code for that page.
Form Authentication Troubleshooting, Tips and Tricks
Q: My login form is dynamically rendered inside an inline dialog and Netsparker cannot find it, how can I fill that login form?
Write a custom script that first clicks the link or button that triggers the dialog and populate the login form after a delay:
netsparker.auth.clickByQuery('#header > div.row > a:nth-child(1)'); // Trigger the login dialog
netsparker.auth.setValueByQuery('#email', username, 2000);
netsparker.auth.setValueByQuery('#password', password, 2000);
The code above will first trigger the login dialog (first line), fill username & password after 2 seconds and click the login button in dialog on 3rd second.
Q: My login form has some other fields along with username and password, how can I fill that login form?
A: Write custom script to fill username and password from current persona variables, hardcode the rest of the credentials to your script:
netsparker.auth.setValueByQuery('#LoginCode', '4815162342'); // Hard-coded extra credential
Q: How can I provide custom cookies that are required during form authentication?
A: Specify the cookies in the Custom Cookies section of the General section of your current scan profile. These cookies will be issued during the form authentication requests.
Q: How can I provide custom header values or change the user agent string during form authentication?
A: You can create a scan policy with custom header values and/or modified user agent strings and select it on the current profile during form authentication.
Q: My site requires me to visit some pages before displaying the login form URL and I cannot use the login form URL directly, how should I authenticate?
A: Use the first page that is required to be visited as the Login form URL. Then, using custom scripting, write code that performs navigation for each page that needs to be visited. You can click the HTML elements via scripting or simply use code like the following to just perform the navigation:
document.location = 'https://mysite.com/login/next_page.htm';
Q: My site performs several redirects before reaching the login form, how can I write custom script code for the login form?
A: Create custom script pages for each redirect leaving the script editor empty, and write your custom script for login form on the last page. Netsparker won't run any code for pages that perform the redirect.
Q: I need to run some script code after a certain amount of time, how can I do that?
- Netsparker does not have scripting support for popups opened during the form authentication process. Please use the URL loaded into the popup window as your Login form URL if that is possible.