In order to scan a form-based password protected area, you will need to make use of a Login Sequence during the scan. You can predefine login sequence files from Configuration > Application Settings > Login Sequence Manager, or directly from the New Scan Wizard. The Login Sequence Recorder can be used to perform a number of tasks during a crawl and a scan:
- To access a form-based password protected section.
- To create a pre-defined crawling sequence, such as a shopping cart.
- To mark pages that require human / manual intervention each time they are accessed, such as pages with CAPTCHA, One-Time password, Two-Factor authentication etc.
- To mark pages which the crawler and scanner should not access (such as Logout links, or user deletion buttons)
- To configure Acunetix Web Vulnerability Scanner to crawl a web application in a predefined manner, such as a shopping cart or to automatically input data into a web form.
Read more information on the Login Sequence Recorder.
To create a new login sequence:
- Click New Login Sequence to launch the Login Sequence Recorder
- Enter the URL of the website for which you would like to record a login sequence. By default the URL of the target website is automatically populated. Click Next to proceed
- On the second page of the wizard, browse to the website’s login page and submit the authentication credentials in the login form to log in. Wait for the page to fully load, indicating that you are logged in. Click Next to proceed.
- Once logged in, you also need to identify the logout link so the crawler will ignore it to prevent ending the session. In the ‘Setup restricted links’ step of the wizard, click the logout link for it to be ignored. If the logout link is not on the same page, click the Pause button in the top menu, navigate to a page where the logout link is found, resume the session and then click on the logout link. Click Next to proceed.
- The Login Sequence Recorder will then try to auto-detect valid sessions from invalid ones. Click Yes to start the process using the URLS that have been collected from the previous steps.
- There are situations where the session cannot be automatically detected. In which case, you can either specify a URL and try to auto-detect valid sessions using the specified URL or define a pattern which will allow the scanner to determine that it is logged in. The pattern can be plain text or a regular expression, e.g. (?!)<a\s+href=’logout\.php’>. You can also highlight specific content and click on Define pattern from selection and a regular expression will be automatically generated. You also have to specify where the pattern can be found in the response. See second screenshot below. From the Pattern Type drop down menu select if the pattern is In headers, Not in headers, In body, Not in body, Status code is and Status code is not. Use the Check Pattern button to test the pattern that you have specified.
- Review the recorded sequence. You can change priority of URL’s using the up and down arrows, edit requests and add or remove requests. Click ‘Finish’ to finalize the session recording.
Marking Pages for Manual Intervention (used for CAPTCHAs)
If some pages in your web application require manual intervention, such as pages with CAPTCHA, One-Time password or Two-Factor authentication, use the Login Sequence Recorder to configure the crawler to wait for user input when crawling such pages. To mark a page for manual intervention:
- Launch the Login Sequence Recorder and enter the web application URL in the first step.
- In the second step of the wizard ‘Record Login Sequence’, click on the Pause button to pause the recording, and enter the URL of the page which requires human input in the URL input field.
- Once the page is loaded, click on Manual Intervention button. Proceed by clicking the Next button till the end of the wizard.
- Once a scan is launched, a browser window will automatically pop up when the application page is reached. You can now perform the required action. Click Done once the action is complete.
Get more information and a video about the Login Sequence Recorder.