Hi,
I am trying to spider a site behind a form-based authentication.
Let's say my username=testuser and my password=123 and the input fields are called "username" and "password".
So I added "username" and "password" to
- Form Handler
- Context:
-- Authentication:
--- TargetURL=the URL from the "action"-attribute
--- URL to GET Login Page: localhost:8765/myloginpage
--- POST data: username={%username%}&password={%password%}
--- Username Parameter: username
--- Password Parameter: password
-- User: testuser
-- ForcedUser: testuser
Session- and CSRF-cookies seem to be recognized correctly (JSESSIONID & _csrf)
AJAX Spider dialog:
- "Use random values in form field" -> disabled
- Context: Default (since it's the only one I have)
- User: testuser
Remarks:
- The "URL to GET Login Page" is a generic page which is one login page, let's say localhost:8765/myloginpage with a lot of GET-parameters like "clientId", "redirect_uri", "nonce", ... I cannot figure out how this comes into play.
- When looking at the logs of the AJAX spider i do see a 200-response but
1. i cannot "see" the actual page during spidering with a non-headless browser
2. the site is a single page application. the response includes the application's response for disabled JavaScript ("this site doesn't work properly without JavaScript enabled".)
Now I am totally confused. Am I doing something wrong? Has the site been spidered?
And: How to configure the credentials from the sider for the Attack-mode?
Many thanks,
Christian