Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Validating Browser Sessions

Post creation of browser sessions validate them to ensure successful scans

Browser session validation checks that a recorded session works before security scans. It verifies authentication, unauthenticated contrast, action replay, and parallel-tab behavior.

Validation States

Sessions have three states:

  1. Pending Validation (Yellow) - Not yet validated. New sessions start here.

  2. Validated (Green) - All checks passed. Ready for scans.

  3. Validation Failed (Red) - At least one check failed. Fix issues before using.

Validation Checks

1. Authenticated Check

Checks whether the session authenticates correctly when loaded.

  • Loads the session cookies and storage.

  • Visits the authentication URL.

  • Compares the result to the expected authenticated page.

Passed: Shows authenticated content (dashboard, profile, etc.)

Failed: Shows login page or error (session expired/invalid)

2. Unauthenticated Check

Checks whether the site shows the unauthenticated page when no session is present.

  • Visits the same URL without session data.

  • Compares the result to the expected unauthenticated page.

Passed: Shows login page or "access denied"

Failed: Shows authenticated content (security issue)

3. Replay Test

Checks if the recorded browser actions can be replayed successfully.

  • Replays the recorded actions: clicks, typing, and navigation.

  • Compares the final page to the expected authenticated state.

Passed: Actions complete and result in authenticated state

Failed: Actions fail or don't reach authenticated state

4. Parallel Tab Testing

Checks whether the application can keep three authenticated tabs active at the same time.

  • Opens three tabs with the authenticated session.

  • Reloads all tabs simultaneously.

Passed: All tabs maintain the authenticated state after reloads

Failed: At least one tab loses the authenticated state.

How to Trigger Validation

  1. Open the settings drawer for the target domain and click Record Browser Session to open Browser Session Manager.

  2. Select an existing session from the dropdown. The session loads in preview mode.

  3. (Optional) Review or edit session details, context, tags, or browser actions.

  4. Click Validate Session and wait for the validation results. Use the VNC URL to watch the validation run when needed.

  5. Review results when they appear. Green borders = passed, red borders = failed. Click the eye icon to view screenshots.

If any validation check fails, treat the session as unsafe for authenticated scans until it is fixed or re-recorded. Confirm all four checks pass before running an authenticated scan.

PreviousImporting Browser SessionNextHandling Captcha/Email/Mobile OTPs

Last updated