Login and Replay

The FortiDAST Login and Replay feature is a powerful tool that enables you to capture complex login sequences, including multi-form and multi-factor authentication (One-Time Passwords or Tokens) for vulnerability scans.

Modern web applications, such as e-commerce sites, cloud providers, and bank websites, often involve complex login sequences.

• Multi-form/multi-page authentication: The user must first provide their email address or phone number, and then enter their credentials on the next page.

• Multi-factor authentication: The user must log in with their username and password, and then enter a one-time password (OTP) or token sent to their phone.

• SSO (single sign-on): SSO allows users to log in to multiple applications using a single set of credentials.

The FortiDAST Login and Replay feature can be used to capture these login sequence and replay it during the vulnerability scan, ensuring that the scan is performed as if a real user is logged in. This can help to identify vulnerabilities that would not be found by a traditional vulnerability scan.

The login sequences are captured via FortiDAST Web Application Scanning Chrome extension and saved as JSON file. You must upload the saved JSON file in the Scan Configuration > Login & Replay tab. FortiDAST will replay the recording to simulate the login process and automatically download the session cookies to continue authenticated scanning of the web pages.

Note: The Login and Replay feature is not supported in Proxy mode. Therefore, FortiDevsec users who use FortiDAST for scanning will not be able to use this feature, as their scans are performed through Proxy.

Following is an overview of login and replay process:

1. Download the FortiDAST Web Application Scanning Chrome extension. See Downloading FortiDAST Web Application Scanning extension.

2. Capture the web application login sequence. See Capturing login sequence.
   

3. Upload the recording (.json file) to FortiDAST. See Uploading recording to FortiDAST.

4. Perform the vulnerability scan.

Downloading FortiDAST Web Application Scanning extension

FortiDAST Web Application Scanning chrome extension provides a unique feature that allows you to record user activities, which can then be used to improve vulnerability scanning in FortiDAST. FortiDAST Web Application Scanning enables you to capture complex login sequences, including multi-form and multi-factor authentication (One-Time Passwords or Tokens), for vulnerability scans by capturing page-loads, click-events, keypress-events, visibility-change, submit-events, and input-events. The extension will automatically download the JSON with action contents for further processing in FortiDAST.

To download the Chrome extension, perform the following steps:

1. Launch Google Chrome browser.

2. Go to the Chrome Web Store.

3. Browse or search for FortiDAST Web Application Scanning.

4. Click Add to Chrome.

5. Review the permissions and click Add extension.

6. Access the extension page. Click menu icon, select More tools and select Extensions on the Chrome toolbar.

   

7. Ensure that FortiDAST Web Application Scanning extension is present and enabled.

   

8. Provide necessary permissions to the extension.

   1. Click Details.

   2. In the FortiDAST Web Application Scanning page, scroll down and toggle Allow in incognito option.

   3. Toggle Allow access to file URLs option.

      

      Note: Since FortiDAST Web Application Scanning extension operates only in incognito mode and requires access to file URLs, this step is mandatory and is important for the proper functioning of the extension.

Capturing login sequence

To capture the web application login sequence, perform the following steps:

1. Launch Google Chrome browser.

2. Click Extensions icon on the Chrome toolbar.

3. Select FortiDAST Web Application Scanning.

   

4. Click Start Recording to start a new recording. A new incognito tab opens.

   

   Note:Copy to clipboard option is used to download the previously recorded sequence.

5. Navigate to the desired web application and perform the login process.

   Notes:

   • You must manually enter credentials or any input. Copy pasting in the input field will not capture the required data.

   • Do not switch to a different tab when recording is in progress. It is recommended to complete the login sequence before switching to a different tab.

6. Once you complete all the activities, click Extensions icon on the Chrome toolbar, select FortiDAST Web Application Scanning, and click Stop Recording.The incognito tab closes and the recording(.json file) is downloaded to the local machine automatically.

   Note: Stop recording on the logged-in page where the login cookies or storage need to be collected. Before stopping the recording, wait for the web page to load completely after logging in. If you stop the recording before the page loads completely, the replay may fail.

   

7. Click Downloads icon in the Chrome toolbar to access the downloaded file. Click on the Open in folder icon to open the download folder.

Uploading recording to FortiDAST

1. Login to ForiDAST portal.

2. Navigate to Scans Policy > Scan Configuration page. See Configuring the Scanner.

3. In the Configuration section, select Login & Replay tab.

4. Click Choose File to Upload.

5. Browse and select the previously downloaded recording (.json file).

6. Click OK.

   

Once the scan is initiated, a red icon is displayed next to the scan IP in the Scan Policy page. This indicates that the scan is awaiting user input to proceed.

Click the red icon, a pop up is displayed with input field to provide OTP/Token. Enter the OTP/ Token and click Submit. If the correct data is entered, scan continues.

Also, an email will be sent registered email address with a link to provide OTP/Token.