Getting Started

Scan MFA App

MFA Apps

ZeroThreat Recorder Chrome Extension simplifies the process of complex authentication mechanisms such as Multi-Factor Authentication (MFA), CAPTCHAs, Single Sign-On (SSO), and OTPs to secure sensitive areas. It enables you to scan these protected sections without compromising accuracy.

This guide will walk you through performing an authenticated scan on an MFA-protected application.

Step-by-Step Guide: Scanning an MFA App

Before you start
Ensure that the latest version of ZeroThreat Chrome Recorder extension is installed on your chrome browser.

1. Select Your Target

  • In the ZeroThreat dashboard, click on "Scan the Target" and choose the application you wish to scan. Next change the scanning server if required.
Thumbnail

Scan the target

  • Under the Scan Method, click on Start New Authenticated Scan() button.
Thumbnail

Dashboard

  • This will launch your target web application in a new tab, along with the ZeroThreat Recorder Chrome window.
Minimize the ZeroThreat Recorder Chrome window
You can minimize the recorder window but ensure the that it remains open throughout the recording process.

Visit Troubleshooting: Extension Not Opening if the extension doesn't open automatically in new tab along with target.

2. Configure the Recorder

  • Once the extension is loaded, Start by clicking on the Active User Session Authentication(MFA) button. Note that in this method ZeroThreat does not capture or store authentication details—instead, it uses a live user session (token) for authorization. You must stay logged in until the scan runs on the server. This method is perfect for applications requiring captcha, multi-factor authentication (MFA), one-time passwords (OTP), or third-party OAuth.
Thumbnail

Choose Scan Authentication Method

  • Next you’ll have two options Full Scan or Scan Navigation Sequence Only. A Full Scan covers the entire web application, while a navigation sequence-only scan focuses solely on the pages you visit during recording. In our example, lets select Full Scan.
Thumbnail

Choose Scan Type

3. Complete the Authentication Process

  • Login with Credentials or any other method: Enter your username and password for the application or any other login method.
  • Handle MFA:
    • OTP: Enter the One-Time Password (OTP) sent to your email or phone.
    • CAPTCHA: Solve any CAPTCHA challenges that appear.
    • SSO: If using a Single Sign-On service like Google or Azure, log in with it.
  • After this step you should be logged in to the application using any of the authentication method.
Thumbnail

Example of Google SSO login in target application

4. Stop the Recording

  • After logging in successfully, navigate through 2-3 pages while authenticated, then click the Stop Recording () button in the ZeroThreat Recorder window.
Ensure all authentication steps are completed before stopping the recording to avoid incomplete data capture.

5 . Save and Scan

  • Choose the scanning server and click on Start Scan and the scan will start immediately.
Thumbnail

Share Active User Session

Stay Logged In
Ensure that you remain logged into the target application throughout the scan to prevent session timeouts.

6. Monitoring the Scan

  • The scan will start immediately and you can track its progress and view results in the Scans section or Recent Scans section in the ZeroThreat portal.
Thumbnail

Recent Scans

Tips & Cautions

  1. Stay Logged In: Ensure you remain logged into the application throughout the scan to prevent session timeouts.
  2. Avoid Unnecessary Steps: Perform only essential actions during the recording to keep the captured data clean.
  3. Handle Third-Party Services: If your application interacts with external services during authentication (e.g., SSO), confirm that these services are accessible and functional during the scan.

Scan started and want to share the report with team members? See our guide on Share Scan Results.