Recorded Login

Recorded Login captures your actual browser login sequence and replays it during scans to authenticate the scanner with your application. This method works with most custom login forms, including those with JavaScript validation, CSRF tokens, and multi-step flows.

How Recorded Login Works

1. You install the Detectify Recorder Chrome extension
2. You navigate to your application’s login page and start a recording
3. You perform the login steps as you normally would
4. The extension records the sequence of actions (page navigations, form inputs, button clicks) into a .trail file
5. You upload the .trail file to your scan profile in Detectify
6. During scans, the scanner replays this sequence to authenticate

The recording captures the structure of the login flow, not just the credentials. This means it handles CSRF tokens, dynamic form fields, and JavaScript-based login flows that would break simple credential replay.

Setting Up Recorded Login

Step 1: Install the Detectify Recorder Extension

Install the Detectify Recorder  extension from the Chrome Web Store. Once installed, pin the extension icon to your address bar for easy access.

Step 2: Record the Login

1. Open your application’s login page in Chrome
2. Click the Detectify Recorder extension icon
3. Select Start recording
4. Perform the login steps at a moderate pace — enter your username, password, and click the login button
5. Wait until you reach an authenticated page (the landing page after login)
6. Open the extension again and select Stop and review recording

Perform only the actions needed to log in. Do not navigate the application after login — the recording should end once you have reached an authenticated page.

Step 3: Review and Download

The extension displays all recorded actions for review. Confirm the recording captures your complete login flow, then download the .trail file.

Step 4: Upload to Detectify

1. In the Detectify portal, navigate to Scanning Settings → Application Scanning Authentication
2. Select Recorded login → Add Recorded Login file
3. Upload your .trail file
4. The system validates the file automatically (this takes several minutes)

Step 5: Configure Scan Settings

Before running a scan with the recorded login:

• Disallow logout paths — Add your logout URL to the scan profile’s disallowed paths. This prevents the scanner from logging itself out during crawling.
• Allow scanner traffic — Ensure firewalls or WAF rules allow requests from the scanner.

Step 6: Verify Authentication

After starting a scan, look for a Recorded Login Succeeded finding in the scan report within 10–15 minutes. This confirms the scanner authenticated successfully using the recording.

Recording Tips

Use Incognito Mode

Always record in an incognito window to avoid cached sessions interfering with the recording. This ensures the recording captures the full login flow from an unauthenticated state.

Use Stable Credentials

Use a dedicated test account with credentials that will not change. If the password changes, you will need to re-record the login.

Avoid Admin Credentials on Production

The scanner will crawl and interact with all discoverable elements. Avoid using admin credentials on production environments to prevent unintended modifications.

Handle Pre-Login Pages

If your application shows a landing page, cookie consent banner, or other content before the login form, interact with these elements as needed during the recording. The scanner replays the full sequence including these steps.

Multi-Step Login Flows

Recorded Login supports multi-step login flows where the username and password are on separate pages, or where additional steps (organization selection, terms acceptance) are required between entering credentials and reaching the authenticated state.

Simply perform all required steps during the recording. Each step is captured and replayed in order.

The .trail File Format

The .trail file is a JSON document containing the recorded login sequence. It has two primary sections:

Each action in the file specifies a type, command, selectors (with multiple CSS selector fallbacks), and values. The scanner tries each selector in order until one matches, making recordings resilient to minor page changes.

Common Issues

Recording Fails to Authenticate

• Credentials changed: Re-record with current credentials
• CSRF token expired: Re-record to capture a fresh token sequence. The scanner generates new tokens during replay.
• Rate limiting: If the test account is rate-limited, wait and try again, or adjust rate limits for the test account

Scanner Loses Authentication During Scan

• Add the logout URL to your scan profile’s disallowed paths
• Check if the application invalidates sessions after a period of inactivity and extend the timeout for the test account
• Verify the session cookie is not bound to a specific IP address (scanner IPs differ from your recording IP)

Login Page Uses CAPTCHA

Recorded Login cannot bypass CAPTCHAs. Options include:

• Disable CAPTCHA for the test account
• Allowlist the scanner’s IP addresses to bypass CAPTCHA
• Use a CAPTCHA bypass configuration if your CAPTCHA provider supports it

Login Requires Multi-Factor Authentication

If MFA cannot be avoided:

• Configure an MFA exemption for the test account based on IP address or other criteria
• Use a TOTP-based MFA where the seed can be provided — see Recorded Login Secrets for how Internal Scanning handles TOTP
• Disable MFA for the dedicated scanning account if your security policy allows it

Re-Recording

You should re-record the login when:

• Test account credentials change
• The login page structure changes significantly
• You observe authentication failures in scan logs
• You switch to a different test account

To re-record, download a new .trail file using the Chrome extension and upload it to replace the existing file in your scan profile.

Next Steps

• Authentication Overview — Other authentication methods
• Recorded Login Secrets — Storing credentials in Kubernetes Secrets or HashiCorp Vault for Internal Scanning