The Acunetix Login Sequence Recorder can be used to test password-protected areas of your website automatically.
If you are using Acunetix Web Vulnerability Scanner, you can create a new Login Sequence upon launching a scan from the Scan Wizard. If you are using Acunetix Online Vulnerability Scanner, you can download and install the Login Sequence Recorder from the ‘Scan Target Settings’ before proceeding.
After Starting the Login Sequence Recorder, start by navigating to the login page on your site and log-in to the restricted area. Whilst doing so, you will notice that your actions are being recorded. The scanner will make use of the same login credentials used during the scan. These actions can then be re-played by clicking the ‘Play’ button to ensure that the recorded actions are correctly re-played. If the site makes use of a CAPTCHA or Multi-factor Authentication, you can mark the action as a ‘manual’ action in order to complete Login Sequences that require manual input (Manual Intervention is only possible in Acunetix WVS). Once the login actions are complete, click ‘Next’ to proceed.
You will now need to define Restrictions. Restrictions are actions that you want to restrict the scanner from performing. This includes clicking ‘Logout’, ‘Delete User’, ‘Send Email’ and any other button or hyperlink which should not be followed during the scan. The Login Sequence Recorder also supports the use of wildcards in Restrictions. So, if this site was making use of a nonce or other one-time tokens, such as CSRF tokens, you would still be able to restrict the request from being followed. Once Restrictions are set-up, proceed by clicking ‘Next’.
The scanner needs to understand when it is logged in and when it is logged out. This is done using a ‘Session Pattern’. In most cases, the Login Sequence Recorder is able to automatically detect a valid Session Pattern using the requests from the login actions. When the session pattern is not automatically detected, you can manually browse the restricted area (for example, by clicking on the ‘User Profile’ page), until a pattern is automatically detected by the Login Sequence Recorder. Although that is rarely required, you can also create a Session Pattern manually. Click the ‘Finish’ button and save the Login Sequence file.
If you are using Acunetix WVS, you can now use this Login Sequence within the Scan Wizard. If you are using Acunetix OVS, you can simply upload the .lsr file to Acunetix OVS and run a scan using your newly created Login Sequence.