Skip to main content

Form-based login

Use Form when your app has a traditional HTML login — a page with a username and password field that posts to a server and sets a session cookie (or returns a token stored in localStorage).

Form-based login

When to use

  • Classic server-rendered apps with a /login page.
  • SPAs where a test user can sign in with a form.
  • Anywhere a password-based flow exists and you have a dedicated test account.

What you'll need

  • Login URL — the page that shows the form (not the form action endpoint).
  • Username and Password — a dedicated scan account.
  • Optional: any Pre-Auth Cookies / Headers / Local Storage values the login page requires.

Dashboard

In Create Scan → Step 2, pick Form-based Login.
Enter Login URL, Username, and Password.
Fill Pre-Auth Cookies / Headers / Local Storage if your login page needs them (CSRF tokens, tenant selector cookies, SPA bootstrap values).
Click Next to continue to crawling & discovery.

The scanner navigates to the login URL, fills the form, submits it, and uses the resulting session for every subsequent request.

CLI

shadownet scan https://app.example.com \
  --auth form \
  --login-url https://app.example.com/login \
  --username "$SCAN_USERNAME" \
  --password "$SCAN_PASSWORD"

$SCAN_USERNAME and $SCAN_PASSWORD come from your shell / CI secret store — never hard-code them.

levo-dast.yml

auth:
  strategy: "form"
  login_url: "https://app.example.com/login"
  username: "${SCAN_USERNAME}"
  # password → --password CLI flag or SCAN_PASSWORD env var, NOT YAML
Passwords never go in YAML

password, raw cookie values, and tokens are on the YAML blocklist. Use --password / --token flags or environment variables at runtime.

Pre-Auth values

Pre-Auth cookies and headers

Local storage items

Common reasons to set these for form login:

  • CSRF cookie seeded by a GET to the login page — add it as a Pre-Auth Cookie.
  • Tenant or region header required by the API gateway — add as a Pre-Auth Header.
  • SPA boot flags stored in localStorage — add as Local Storage Items.

Verifying the login worked

After a scan starts, the scan detail page shows an Auth status. If login failed, the most common causes are:

  • Wrong login URL — pointing at the app home page rather than the form page.
  • CSRF token that rotates per request and needs to be extracted from the form — file a support ticket for a custom strategy.
  • MFA / CAPTCHA — a password form alone isn't enough. Use AI-driven or disable MFA for the scan account in non-prod.
  • Account locked after repeated scans — rotate the password and clear the lock.

Next

Was this page helpful?