Interactive Logins

Description

Our authentication scripts enable NightVision to evaluate an application’s endpoints behind authentication or login pages. This step is optional, yet it offers much more thorough coverage and mimics scenarios where a malevolent individual establishes a new user account or acquires compromised credentials.

Try the commands below for an authenticated scan against the public targets.

How to Record Authentication

Open the NightVision CLI and enter the following command:

bash

nightvision auth playwright create testphp http://testphp.vulnweb.com

This will bring up an incognito Chrome window to record the authentication sequence. In the Chrome window:

1. Navigate to the URL of the web application you want to scan.
2. Log in to the web application.
   1. Username: test
   2. Password: test
3. Once it is logged in, close the Chrome window.

What’s happening here?

We use Playwright Codegen to record the authentication process. Once the Chrome window is closed, it will upload the Playwright script, which will be stored securely in our backend.

The Playwright script will be replayed during our scans to log in to web apps and APIs. This lets us test “the good stuff” - the parts of an application hidden behind login pages.

We also have some ✨ magic ✨ on the backend that allows us to take screenshots and videos of the login process, and apply heuristics to validate whether or not the user is logged in.

It will automatically upload the authentication sequence to NightVision’s API.

• Navigate to the Authentication page - Authentications. You’ll notice that the credentials you just recorded now appear in the list.
• If you click on it, you’ll see the recorded Playwright script.

Our authentication scripts enable NightVision to evaluate your application’s endpoints behind authentication or login pages.