Configuring Automatic Session Detection in Acunetix WVS

When scanning a website with a passwords protected area, Acunetix Web Vulnerability Scanner uses user specified ‘In Session’ or ‘Out of Session’ patterns to determine if the logged in session is still valid or not. If the logged in session is invalidated, Acunetix WVS will automatically replay the Login Sequence to regain the session and continue scanning the website.

What are ‘In Session’ and ‘Out of Session’ patterns?

An ‘In Session’ pattern is a text string, or html code, or a regular expression that matches a particular string of text or code on the website which is only available once the session is logged in.

On the opposite, an ‘Out of Session’ pattern is a text string, or html code, or a regular expression that matches a particular string of text or code on the website which is only available once the session is logged out.

When recording a login sequence you only need to specify one pattern, i.e. an ‘In Session’ OR an ‘Out of Session’. If you specify an ‘In Session’ pattern, Acunetix WVS will check if such pattern exists on the website once it is logged in to a session. If it is able to match such pattern, it means that the session is still logged in. If Acunetix WVS cannot match such pattern on the website, it means that the session has been invalidated and the recorded Login Sequence will be automatically replayed to regain the session.

If you specify an ‘Out of Session’ pattern, Acunetix WVS will check that such pattern cannot be matched while logged in to a session. If the pattern is matched, it means that the session has been invalidated and the recorded Login Sequence will be replayed to regain the session.

How to define an ‘In Session’ or ‘Out of Session’ pattern

When recording a login sequence with the Login Sequence Recorder, in the fourth step of the wizard you have to specify an ‘In Session’ or ‘Out of Session’ pattern, as seen in the below screenshot.

Acunetix WVS Login Sequence Recorder

You can click the ‘Detect’ button next to the URL input field so Acunetix WVS can try to automatically detect a pattern for you.

Automatic Detection of Logged In Patterns in Acunetix WVS

If the automatic detection fails, you can specify your own patter by following the procedure below.

In Sesion or Out Of Session in LSR

  1. Click on the ‘In Session’ tab to access a page from the logged in session of the website or ‘Out of Session’ tab to access a page which is not logged in. Both tabs can be found right under the URL entry field.
  2. Click on the ‘Show in browser’ or ‘Show raw data’ tab at the bottom of the LSR window to view the actual page in a browser or its source code.
  3. At this stage you can write your own string of text or regular expression in the Pattern entry field. Alternatively you can highlight text (both from the browser or source view) and click on ‘Define Pattern from Selection’ button so the scanner automatically generates a regular expression which matches the selected text pattern.
  4. From the ‘Pattern Type’ drop down menu, select if the pattern can be found in the Header, Page Body or Status Code. If you select ‘Not in Header’, or ‘Not in Page body’, or ‘Not in Status Code’ it means you are defining an ‘Out of Session’ pattern.
  5. Click on the ‘Check Pattern’ button to confirm that the pattern matches successful.

Leave a Reply


*