VIDEO: Acunetix Login Sequence Recorder

The Acunetix Login Sequence Recorder can be used to test password-protected areas of your website automatically.

In order to scan a form-based password protected area, you will need to make use of a Login Sequence during the scan. The Login Sequence can be configured from the Target settings page in the General tab using the Login Sequence Recorder (LSR). A Login Sequence is used to perform the following tasks during the crawling and a scanning phases.

  • Access form-based password protected area
  • Replay login actions to authenticate to the website or web application
  • Restrict actions which the crawler and scanner can access (such as logout links)
  • To mark actions that require Manual Intervention each time they are accessed, such as pages with CAPTCHAs, one-time password and two-factor authentication.

A new Login Sequence may be created by following the steps below.

  • Navigate to the Targets section from the left-hand-side menu
  • Select the Target for which you wish to record a Login Sequence
  • From the General settings tab, enable the Site Login pane, and select Use pre-recorded login sequence
  • Launch the LSR by clicking on the Launch Login Sequence Recorder link.

Target Settings - Login Sequence

After launching the Login Sequence Recorder, your browser may pop up a confirmation dialogue that you wish to open up the LSR. Click on Launch Application or Open link (depending on your browser) to open the Login Sequence Recorder.

LSR Protocol Handler Browser Notice

By default, the LSR will browse to the Target URL that you are configuring the Login Sequence for.

LSR - Navigate to URL

You may start browsing to the login page and perform a successful login. Remember to use correct and valid credentials. With each action that is recorded, the panel on the right will start to be populated with login actions. Since the LSR is recording actions and not HTTP requests, it also works with web applications that make use of anti-CSRF tokens.

Once logged in, you may wish to replay the actions as to ensure that the Login Sequence is valid and is logging in successfully. This can be done by clicking on Play at the bottom-left of the screen.

LSR - Record Login Sequence

The right-hand-side pane shows a list of actions that have been recorded. Clicking on a specific action will reveal Action Properties.on the bottom right-hand-side of the screen. Click next to record restrictions.

Recording Restrictions

Restrictions instruct the Crawler and Scanner not to follow specific links during a scan. Typically, you would want to restrict logout links or other links that might destroy a valid session in order to ensure that the scanner does not get logged out during the scan. The LSR also supports restrictions on HTTP methods commonly used in RESTful web services such as PATCH, PUT, DELETE in addition to the standard GET and POST requests.

If the link you are restricting contains a nonce or a one-time token, you may use wildcards (*) to restrict links with changing values. A Restriction may be set by following the steps below.

  • Click on the link that you wish to restrict.
  • Upon clicking the link, a dialogue will pop up asking if you wish for Acunetix to either
    • Intercept this request (either in its exact form or by using wildcards)
    • Forward such requests which match this request
    • Forward all requests, meaning that there will be no restrictions
    • In this example, we do not need to make any modifications to the Restriction, therefore we can select the first option – Restrict request using exact match
  • The Restriction will be recorded, and shown in the panel on the right. You may add as many restrictions as you need.

LSR - Restrict Link

Identifying a Valid Authentication Session

In the final step, the LSR will try to identify a valid session automatically. The session pattern is required, so that the Scanner will be able to know the difference between an invalid (logged out) and a valid (logged in) session. If the scanner is able to know that the session has been invalidated, it can replay the login sequence and validate the session again.

This is done by comparing the logged in and logged out states of the web application. There may be cases where no difference can be identified automatically. In such cases, you will need to either configure it by navigating to pages and let the LSR identify the pattern, or it can also be done manually. In addition to authentication mechanisms that rely on cookies, the LSR also supports authentication mechanisms that rely on HTML5 LocalStorage.

LSR - Session Detection

While Navigating

  • This can be done by browsing to authenticated areas of the website that will return a different response depending on the user being logged in or logged out.
  • For example, a response from the website will contain the text “Logout” if the user is logged in. If it is not found in the response, the user is not logged in.

Manually

  • The session validation can be manually configured by choosing both the request being sent and the pattern returned.

The session pattern may be verified by clicking Check Pattern at the top of the right-hand-side panel.

Once you click on Finish you will be prompted to save the .lsr file. Upload this saved file onto the Scan Target settings page.

Share this post
  • Hi,

    We are using Acunetix 11 – web version that we just upgraded to (we were using v10.5). I have created a login sequence, which works, and have saved it however when I try to attach it to a target I get an error message:

    Login sequence has not been completely uploaded.

    With Retry and Dismiss options – neither of which allow me to progress and actually save and then start the scan.

    Thinking it was perhaps a browser issues, I’ve tried multiple browsers with the same result. Wondering if it perhaps my permissions – I’m not a full admin, but a Tech Admin – so I can create and add targets.

    Any light you can shed on this please?
    Thansk!!

    • Hi Jesse,

      Thanks for your comment.

      Since we might need to take a look at some logs to find out what’s causing this, the best thing to do in this case would be to get in touch with our Support Team at support@acunetix.com for them to take a closer look into your issue.

  • Hi, I just upgraded to Acunetix 11 and I’m facing an issue. The website I have to scan uses a 2 factor authentication that require a manual intervention (code sent by text message on cellphone). With the new LSR doesn’t allow me to insert a manual action.

    How can I solve this issue ?

    • Hi Robert,

      Manual intervention will be re-introduced in Acunetix v11 in January 2017. Please scan this site using Acunetix v10.5 in the meantime.

  • Hi,
    I upgraded from 10.5 to 11 recently and the login sequences do not work any more. I record them successfully, with session detection and restriction, but when I use them during a scan, an error appears “The login sequence for xxxx is invalid”

    • Hi,

      the login sequences recorded in v10.5 should also work in v11. Please contact our support team (support@acunetix.com) so we can check why your login sequence files are not working in v11.

  • Hello,
    Do we know yet when manual intervention will be released for V. 11?

  • It is now the middle of February 2017. When can we expect manual intervention to be made available in v11?

  • HI,

    I tryed to use Acunetix v11 and v10.5 scan the same target. I could not use the login sequence recorder in v11, it always told me “login sequence not found”, but v10.5 it was work. Even I used the .lsr file which was created by v10.5, still not work in v11.

    I’m sure I got these messages “Pattern was successfully verified” and “Login Sequence Recorder has successfully identified a pattern to use for deteting session validity”.

    Please tell me what can I do.

    v11 version: 11.0.170471153

  • Hi,

    I was trying to find any reference or user guide which would explain whether the LSR could work with Silverlight applications?

  • I was using the crawler to see how deep it was scanning my web application. When i used the normal auto-login it only scanned 50 URLS in my website. I had to use the login sequence recorder to make sure my whole website was crawled (around 200 URLS). Now i’m trying to launch a scan but it’s taking so long, i’ve been scanning for 2,5 hours and it’s still at 1%. How can i make sure my website gets crawled correctly or how can i speed up my scan?

  • Hello,

    How much does this sistem cost?
    How much time does the license heve?

    Best regards,

  • Leave a Reply

    Your email address will not be published.