Scanning Behind Login

Summary: Authenticated web pages (web pages that are secured behind a login process) can be added into your Pope Tech dashboard and enable you to run full, site-wide accessibility scans of your domain.

Overview

• Requirements
• Request Enabling of Authentication Settings
• Verify User Permissions
• Select Authentication Type
• Test Authentication
• Input/Upload Authenticated Web Pages
• Require Authentication for Pages
• Scan Website
• Frequently Asked Questions

Requirements

Website Authentication must be turned on at an account level. Contact Pope Tech support when you are ready to make this change.

Login flows that require user interaction to load the login form (such as a popup or modal) are not currently supported. The login form must be present on initial page load of the login URL. Your login session must also support cross-tab sessions.

Pope Tech supports the following website authentication types:

• Cookie (most common)
• Basic
• API-token

In order to scan authenticated web pages, websites will need to utilize one of these methods. Depending on website complexity, it may be recommended that this process be undertaken or assisted by someone familiar with both HTML and your website structure.

Scanning behind a login isn’t intended to be used to scan any sensitive, private, or confidential data that shouldn’t be stored on Pope Tech servers. See terms of use.

Request Authentication Settings

Enabling website authentication options is an account-wide setting that must be turned on by your account representative. Please contact support to request this feature.

Verify User Permissions

Once authentication is turned on for an account, any user with the role of Owner will have access to the website permission “Manage Website Authentication”. This permission can be given to other users via the role settings as needed. Only users with a role that has this permission enabled will be able to manage website authentication settings.

1. Navigate to the “Roles” page in the main dashboard navigation menu (sub-menu under “Users”)
2. Create a new role or edit an existing role
3. Select the website permission: “Manage Website Authentication” and save.

Select Authentication Type

Pope Tech supports three authentication types. Determining which authentication type is used on your website is most efficiently done with assistance from someone within your organization with technical knowledge of your website’s structure. Alternatively, reach out to support for assistance.

1. Navigate to the “Website” portion of your dashboard
2. Create a new website and enter URL information as needed
3. Activate the “Authentication Options” portion of the Website Settings widget and select “Use Website Authentication”
4. Select the “Authentication Type” drop down and choose your website authentication type out of the list:
   • Cookie
   • API Token – Client Local Storage
   • Basic

Authentication Type: Cookie

For cookie authentication types, you will need to determine unique properties from your website to designate as login form and login success identifiers. Identifiers can be in the form of an id, class, or html element with unique properties (CSS Selectors).

Identifiers needed:

• Username Field Identifier
• Password Field Identifier
• Submit Button Identifier
• Success Identifier

Identifiers Key:

• An HTML id should be designated by a “#” followed by the id.
  • Example:
    id="username" entered as #username
• An HTML class should be designated by a “.” followed by the class.
  • Example:
    class="password" entered as .password
• An HTML element should be designated by the element followed by a unique property of that element
  • Example:
    <button type="submit"> entered as button[type="submit"]

• the “Success Identifier” will use the same syntax as above, and is any unique id, class, or element that is found on the website’s landing page just after logging in. This identifier must not be present on the login URL, or any login error pages that surface in the event of a failed login.
  • Example:
    <div id="app-wrapper"> entered as #app-wrapper

Authentication Type: API Token – Client Local Storage

Setting up the API Token – Client Local Storage authentication will first require your websites login API Token Name. If unknown, this can be retrieved from your browser local client data

• 

1. Login to your website
2. While logged in, open your browser developer tools
3. Navigate to the “Application” tab (Chrome) or your “Storage” tab (Firefox)
4. Locate your Local Storage for your URL
5. Look for a Value that has a username that is the same as the user logged in.
6. Locate the corresponding Key to the Value. This key will be your Token Name

For the remainder of the requirements for the API Token authentication, see steps for cookie authentication.

Authentication Type: Basic

Basic Authentication is when the website uses HTTP Basic Auth. Only the username, password and agreeing to the authentication scanning terms are required.

Because Basic Authentication uses the native, built in browser login form, it will always be a generic non-customizable login form. The form will be slightly different based on the browser, but it will always be an similarly simple form.

If your login form is branded to match the styles and UI of your website, that is a sure way to rule out Basic Authentication as your Authentication Type. The most common login type is Cookie.

Test Authentication

It is recommended to test your authentication settings once they have been input. A status of “success” means that the scanner was able to find the “Success Identifier” after submitting the login form on the webpage.

Input/Upload Web Pages

For larger websites, it is recommended to initially enter a small sample size(1-3) of web pages to verify that the authentication is configured accurately. Once you have a successful scan of authenticated web pages, feel free to upload your complete list of pages.

1. Navigate to the “Pages” or “Pages and Templates” widget of the Edit Website page
2. Add pages manually or upload a CSV via the “Upload URI List”

Require Authentication for Pages

Once web pages are entered you will need to change the page settings to “Require Authentication” for all pages that are behind a login. To require authentication for all pages, navigate to the “Pages” or “Pages and Templates” widget on the Edit Website page and use the following steps:

1. Set the “Authentication Filter” to “No”
2. Activate the apply filter button
3. Select up to the first ten pages by activating the checkbox in the header row.
4. If there are more than ten pages, select all pages by activating the “Select all pages with the selected criteria” button
5. Activate the “Require Authentication” button

Scan Website

You should now be ready to scan your application website. If your scan results are returning any form of either 401 errors or “Authentication Required” responses then you will need to verify your authentication type and authentication information and try again.

Frequently Asked Questions (FAQ)

Does the crawler work behind logins?

• The crawler does not work behind logins at this time. Authenticated web pages will need to be added via the CSV page upload or manually entered.

Can I scan a website that requires two-factor or multi-factor authentication?

• We do not support scanning behind additional authentication layers at this time.