If you have configured the Scan Behind Login feature but the login recording is giving errors, it could be because of the following reasons listed below:

Website is not reachable

Solution 1: The website is behind a firewall

If you are hosting the web asset behind a firewall for security reasons, you have the option to whitelist the scanner IPs to facilitate scans within a restricted environment. That will allow our services to access your website with security. Please follow this article for more details. All requests originating from our automated scanner will exclusively use the following set of static IPs:

| You can add these IPs to the allow-list in your application firewall, login system, captcha, MFA etc.

• 34.69.226.239

• 35.193.102.27

• 12.202.180.108

• 34.136.217.65

• 35.222.104.14

• 104.154.201.208

• 34.27.197.32

• 34.135.0.247

• 172.103.34.69

• 34.70.219.138

• 104.154.186.213

• 34.69.130.106

• 34.135.25.35

• 34.66.6.242

• 34.41.10.119

Invalid Credentials

Solution 1: Correct Username/Password with proper permissions

• Make sure the username and password provided o our portal while recording the login is correct and have the required permission to access the asset.

Login page is protected by a Captcha

CAPTCHA solutions are designed to stop automated systems, and only allow human beings. It is often seen that these block automated vulnerability scanners.

Solution 1: Disable the captcha verification

• If you are scanning a non-production site, you can choose to disable the server-side captcha verification. This will require some code-level changes in your application.

You can either disable the verification entirely or choose to only disable it for the Astra Vulnerability Scanner. To identify the scanner, you can add a unique HTTP header from the Scanner Setup.

Solution 2: Use the HTTP Header method

You can log in to the application in your browser to capture an authenticated cookie. You can then add this in the Extra Headers step in the Scanner Setup

| If you need assistance with recording a login sequence - create a support ticket or reach out to your account manager

Login page is protected by a 2FA mechanism

2 Factor authentication is essential to web security because it immediately neutralizes the risks associated with compromised passwords. If a password is hacked, guessed, or even phished, that's no longer enough to give an intruder access: without approval at the second factor, a password alone is useless.

Solution 1: Static 2FA Code

If you are scanning a non-production site, you can choose to make 2FA code a static one, that will be the same every time. This will require some code-level changes in your application.

Element Not Intractable

Sometimes, website can take more than usual time to load due to network latency or many other reasons. So in a case like this while doing the login recording we need to explicitly add pause statements using custom step of chrome dev tool recorder.

Solution:

1. Check the login recording failure details and see exactly at what point the failure occurred.

2. Download the login recording from astra dashboard.

There are two possible ways to solve the issue:

Directly updating recording file:

1. Open the login recording in any code editor

2. Update blocks like below just before the step which cause the login recording to fail

{
    "type": "customStep",
    "name": "pause",
    "parameters": {
        "target": "20000"
    }
}

3. Here the target value represent the number of seconds to wait in milliseconds. Please tweak this value according to your requirements.

Re-creating the login recording file.

Please refer the video attached for more information about how to recreate the login recording with custom pause statements.