Help
FortiDAST
FortiDAST performs automated black-box dynamic application security testing of web applications to identify vulnerabilities that bad actors may exploit.
tpontes
Staff
Staff

Created on ‎03-06-2025 10:28 PM

Article Id 375763

Technical Tip: Key Considerations for Configuring Authenticated Application Scanning Using FortiDAST’s Login & Replay Feature

Description This article provides a detailed, step-by-step guide on installing and using the FortiDAST Chrome extension to perform Login & Replay operations. Each step includes clear instructions and screenshot placeholders to facilitate setup and execution in a lab environment.
Scope This guide is intended for users who need to scan authenticated applications using the FortiDAST Login & Replay feature to ensure comprehensive vulnerability assessments.
Solution

The FortiDAST Login & Replay feature is designed to capture and simulate complex login sequences during vulnerability scans. Simulating user behavior, enables comprehensive scanning of applications, ensuring the detection of vulnerabilities that traditional methods might overlook.

 

Introduction.

 

Problem Statement.

 

Challenges were encountered in fully scanning an application. Due to limitations in the initial setup, the scan was restricted to the login page, preventing access to other critical parts of the application. This limitation hindered the identification of vulnerabilities across the entire application.

 

The solution.

 

To address this issue, the FortiDAST Login & Replay feature was utilized. This tool captures and simulates complex login sequences during vulnerability scans, allowing for a thorough assessment. The following guide outlines the steps required to install and configure the FortiDAST Chrome extension, capture login sequences, and conduct authenticated vulnerability scans.

 

Prerequisites.

 

Ensure the following requirements are met before starting:

  • Google Chrome Browser: Installed and updated to the latest version.
  • FortiDAST Account: Access credentials to log into the FortiDAST portal.
  • Administrative Privileges: Necessary permissions to install browser extensions and modify settings.

 

Steps:

  • Step 1: Installing the FortiDAST Extension.
  • Step 2: Configuring the FortiDAST Extension.
  • Step 3: Capturing the Login Sequence.
  • Step 4: Upload the Recording to FortiDAST.
For the first configuration steps, see the steps in the documentation: Downloading FortiDAST Web Application Scanning extension.

 

Troubleshooting.

 

  • Issue: Extension Not Recording Properly.
    Solution: Ensure required permissions are enabled, restart Chrome, and retry.
  • Issue: JSON File Not Downloading.
    Solution: Check browser download settings and ensure the recording was stopped correctly.
  • Issue: Scan Failing at OTP Submission.
    Solution: Verify the correct OTP entry and check spam folders for email notifications.
  • Issue: Extension Not Visible in Incognito Mode.
    Solution: Ensure Allow in incognito is enabled in the extension settings.

 

Additional Notes.

 

  • Proxy Mode Limitation: The Login & Replay feature is not supported in Proxy mode.
  • Manual Input Requirement: Credentials must be entered manually during recording.
  • Session Cookies: Stop recording only after the page fully loads post-login.
  • Security Considerations: Handle .json recording files securely, as they may contain sensitive login data.

 

By following this guide, the FortiDAST Login & Replay feature can be effectively utilized for comprehensive vulnerability scanning of authenticated applications.

 

240
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.