Skip to Content
Web Application Security TestingAuthenticationRecorded Login

Recorded Login

Recorded Login captures your actual browser login sequence and replays it during scans to authenticate the scanner with your application. This method works with most custom login forms, including those with JavaScript validation, CSRF tokens, and multi-step flows.

How Recorded Login Works

  1. You start a recording session in the Detectify dashboard
  2. A browser window opens showing your application’s login page
  3. You perform the login steps as you normally would
  4. Detectify records the sequence of actions (page navigations, form inputs, button clicks)
  5. During scans, the scanner replays this sequence to authenticate

The recording captures the structure of the login flow, not just the credentials. This means it handles CSRF tokens, dynamic form fields, and JavaScript-based login flows that would break simple credential replay.

Setting Up Recorded Login

Step 1: Open Authentication Settings

  1. Navigate to your scan profile in Application Scanning
  2. Select Authentication in the profile settings
  3. Choose Recorded Login

Step 2: Start the Recording

  1. Select Start recording
  2. A browser window opens, loading your application’s login page
  3. If your login page is at a different URL than your application root, enter the login URL when prompted

Step 3: Perform the Login

Interact with the login form as you normally would:

  1. Enter your username or email address
  2. Enter your password
  3. Click the login/submit button
  4. Wait for the application to load the authenticated page

Perform only the actions needed to log in. Do not navigate the application after login — the recording should end once you have reached an authenticated page.

Step 4: Verify the Recording

After completing the login:

  1. Select Stop recording
  2. Detectify shows a summary of the recorded steps
  3. Review the steps to confirm they capture the complete login flow
  4. Select Save to store the recording in your scan profile

Step 5: Test the Recording

Before running a full scan, verify the recording works:

  1. Select Test login in the authentication settings
  2. The scanner replays the recorded sequence
  3. A success message confirms authentication worked, or an error indicates what went wrong

Recording Tips

Keep It Simple

Record only the login flow. Avoid interacting with other parts of the application during recording. The scanner handles application navigation on its own after authentication.

Use Stable Credentials

Use a dedicated test account with credentials that will not change. If the password changes, you will need to re-record the login.

Handle Pre-Login Pages

If your application shows a landing page, cookie consent banner, or other content before the login form, interact with these elements as needed during the recording. The scanner replays the full sequence including these steps.

Multi-Step Login Flows

Recorded Login supports multi-step login flows where the username and password are on separate pages, or where additional steps (organization selection, terms acceptance) are required between entering credentials and reaching the authenticated state.

Simply perform all required steps during the recording. Each step is captured and replayed in order.

Common Issues

Recording Fails to Authenticate

  • Credentials changed: Re-record with current credentials
  • CSRF token expired: Re-record to capture a fresh token sequence. The scanner generates new tokens during replay.
  • Rate limiting: If the test account is rate-limited, wait and try again, or adjust rate limits for the test account

Scanner Loses Authentication During Scan

  • Add the logout URL to your scan profile’s exclusion list
  • Check if the application invalidates sessions after a period of inactivity and extend the timeout for the test account
  • Verify the session cookie is not bound to a specific IP address (scanner IPs differ from your recording IP)

Login Page Uses CAPTCHA

Recorded Login cannot bypass CAPTCHAs. Options include:

  • Disable CAPTCHA for the test account
  • Allowlist the scanner’s IP addresses to bypass CAPTCHA
  • Use a CAPTCHA bypass configuration if your CAPTCHA provider supports it

Login Requires Multi-Factor Authentication

If MFA cannot be avoided:

  • Configure an MFA exemption for the test account based on IP address or other criteria
  • Use a TOTP-based MFA where the seed can be provided (some authentication methods support this)
  • Disable MFA for the dedicated scanning account if your security policy allows it

Re-Recording

You should re-record the login when:

  • Test account credentials change
  • The login page structure changes significantly
  • You observe authentication failures in scan logs
  • You switch to a different test account

To re-record, open the authentication settings in your scan profile and select Re-record login. The new recording replaces the previous one.

Next Steps

Last updated on
OverviewCoverage