VIDEO: Acunetix Login Sequence Recorder

The Acunetix Login Sequence Recorder can be used to test password-protected areas of your website automatically.

In order to scan a form-based password protected area, you will need to make use of a Login Sequence during the scan. The Login Sequence can be configured from the Target settings page in the General tab using the Login Sequence Recorder (LSR). A Login Sequence is used to perform the following tasks during the crawling and a scanning phases.

  • Access form-based password protected area
  • Replay login actions to authenticate to the website or web application
  • Restrict actions which the crawler and scanner can access (such as logout links)

A new Login Sequence may be created by following the steps below.

  • Navigate to the Targets section from the left-hand-side menu
  • Select the Target for which you wish to record a Login Sequence
  • From the General settings tab, enable the Site Login pane, and select Use pre-recorded login sequence
  • Launch the LSR by clicking on the Launch Login Sequence Recorder link.

Target Settings - Login Sequence

After launching the Login Sequence Recorder, your browser may pop up a confirmation dialogue that you wish to open up the LSR. Click on Launch Application or Open link (depending on your browser) to open the Login Sequence Recorder.

LSR Protocol Handler Browser Notice

By default, the LSR will browse to the Target URL that you are configuring the Login Sequence for.

LSR - Navigate to URL

You may start browsing to the login page and perform a successful login. Remember to use correct and valid credentials. With each action that is recorded, the panel on the right will start to be populated with login actions.

Once logged in, you may wish to replay the actions as to ensure that the Login Sequence is valid and is logging in successfully. This can be done by clicking on Play at the bottom-left of the screen.

LSR - Record Login Sequence

The right-hand-side pane shows a list of actions that have been recorded. Clicking on a specific action will reveal Action Properties.on the bottom right-hand-side of the screen. Click next to record restrictions.

Recording Restrictions

Restrictions instruct the Crawler and Scanner not to follow specific links during a scan. Typically, you would want to restrict logout links or other links that might destroy a valid session in order to ensure that the scanner does not get logged out during the scan.

If the link you are restricting contains a nonce or a one-time token, you may use wildcards (*) to restrict links with changing values. A Restriction may be set by following the steps below.

  • Click on the link that you wish to restrict.
  • Upon clicking the link, a dialogue will pop up asking if you wish for Acunetix to either
    • Intercept this request (either in its exact form or by using wildcards)
    • Forward such requests which match this request
    • Forward all requests, meaning that there will be no restrictions
    • In this example, we do not need to make any modifications to the Restriction, therefore we can select the first option – Restrict request using exact match
  • The Restriction will be recorded, and shown in the panel on the right. You may add as many restrictions as you need.

LSR - Restrict Link

Identifying a Valid Authentication Session

In the final step, the LSR will try to identify a valid session automatically. The session pattern is required, so that the Scanner will be able to know the difference between an invalid (logged out) and a valid (logged in) session. If the scanner is able to know that the session has been invalidated, it can replay the login sequence and validate the session again.

This is done by comparing the logged in and logged out states of the web application. There may be cases where no difference can be identified automatically. In such cases, you will need to either configure it by navigating to pages and let the Recorder identify the pattern, or it can also be done manually.

LSR - Session Detection

While Navigating
  • This can be done by browsing to authenticated areas of the website that will return a different response depending on the user being logged in or logged out.
  • For example, a response from the website will contain the text “Logout” if the user is logged in. If it is not found in the response, the user is not logged in.
Manually
  • The session validation can be manually configured by choosing both the request being sent and the pattern returned.

The session pattern may be verified by clicking Check Pattern at the top of the right-hand-side panel.

Once you click on Finish you will be prompted to save the .lsr file. Upload this saved file onto the Scan Target settings page.

Share this post
  • Hi! I have a question about login sequence file.
    If i want to create a login sequence file but i don’t want to use acunetix gui, can you show me the same way executing in the web interface?
    Thanks!

    • Hi,

      You can only generate a login sequence file from the Acunetix interface. This would need to be pre-configured beforehand before you can use it from the Scheduled Scans web interface.

  • I am not be able to make login sequence of my site. I try to record it but i am not be able to login in Login sequence browser. Rather than that it’s working fine in Every single browser (except IE<10 ).

    Can I change the Login Sequence browser ??
    Can Anyone help me out , i am stuck in this matter since last four days. Every possible way i try, but it's not worked at all.

    Regards,
    Harsh Cygnet

    • Hi,

      The User Agent that is used the Login Sequence Recorder (LSR) is the one that is selected in Configuration > Scan Settings > HTTP Options > User agent string.

      What technologies are used in your web site? Ideally, you get in touch with our support team, so we can get first hand experience of your website.

  • “Restrictions are actions that you want to restrict the scanner from performing. This includes clicking ‘Logout’, ‘Delete User’, ‘Send Email’ and any other button or hyperlink which should not be followed during the scan”

    If I restrict Logout only, does Acunetix change my data such as delete my users, product…… during the scan?
    Thanks!

    • Hi,

      Testing all the web forms of the web application is an essential part of the scan. Testing involves submitting each web form multiple times. You should use the Login Sequence Recorder to restrict all the HTTP requests that you do not want the scanner to make, including clicking on buttons which delete users for example.

    • If you are referring to client certificates, in Acunetix WVS, the Login Sequence Recorder will automatically use any client certificates that you set up from Configuration > Application Settings > Client Certificates. Acunetix WVS will WVS will automatically decide which certificate to use based on a request’s URL.

    • Hi,

      You can insert a Manual action when you are recording the Login Actions using the Login Sequence Recorder. When the Login Sequence is replayed during the scan, you will be asked to insert the data required to proceed with the login.

  • Does recorder actually work with single-page Javascript-driven sites that use angularjs and nodejs? I cannot get the LSR to work when testing such sites at all, as neither the restricted links function nor the detect user session recognise anything I add to it. In addition, in the latest version of LSR, where’s the option to automatically create a regex pattern from content on a page?

    • Hi Steve,

      Yes, the latest version of the Acunetix LSR should support better SPA. I would recommend that you contact our support team so we can verify your SPA.

      The last step in the LSR is the part which detects the pattern that is used to identify a valid session. The LSR tries to do this automatically.
      Automatic detection is not always possible. In such cases, the LSR will go in manual browsing mode, where you will need to browse parts of the site which are only available once the user logs in (e.g. the user profile page or similar).

  • LSR is not able to play the sequence already recorded after manual intervention on a page for CAPTCHA authentication. I am facing this problem since last update in AVS Consultant edition 10.5
    Please guide me regarding the issue .

  • Hi,

    I have been trying to create a login sequence on one of my application which requires client certificate to test. I imported client certificate but still application is not accepting it. In order to run the application, I need to import root chain as well but there is no option to install root chain on the acunetix login sequence recoder. Please help me out. without root chain and client certificate, I can not run the test on acunetix.

  • Is there any way to import internet explorer settings into acunetix or directly if we can use internet explorer for login sequence.

  • Hi ,

    I am trying to scan a site protected by site minder , it has an http authentication , i set that up in application settings , but the scanner is not able to go inside the site . It has says too many redirections. Please help.

  • Hi ,

    Session was not valid after login sequence playback. We have ouath and time stamp mechanism is implemented

  • Hi,
    I am testing an application that uses JavaScript function for login form submit. The login action doesn’t work as JavaScript cannot run within LSR. Is there any workaround for this? Can JavaScript be enabled in LSR?

    • Hi Nazim,

      Thank you for your comment.

      The Login Sequence Recorder does support JavaScript. Perhaps it would be best to get in touch with our Support Team on support@acunetix.com to look into your issue in more detail.

  • Hi,

    We are using Acunetix 11 – web version that we just upgraded to (we were using v10.5). I have created a login sequence, which works, and have saved it however when I try to attach it to a target I get an error message:

    Login sequence has not been completely uploaded.

    With Retry and Dismiss options – neither of which allow me to progress and actually save and then start the scan.

    Thinking it was perhaps a browser issues, I’ve tried multiple browsers with the same result. Wondering if it perhaps my permissions – I’m not a full admin, but a Tech Admin – so I can create and add targets.

    Any light you can shed on this please?
    Thansk!!

    • Hi Jesse,

      Thanks for your comment.

      Since we might need to take a look at some logs to find out what’s causing this, the best thing to do in this case would be to get in touch with our Support Team at support@acunetix.com for them to take a closer look into your issue.

  • Leave a Reply

    Your email address will not be published.