The Acunetix Login Sequence Recorder can be used to test password-protected areas of your website automatically.

In order to scan a form-based password protected area, you will need to make use of a Login Sequence during the scan. The Login Sequence can be configured from the Target settings page in the General tab using the Login Sequence Recorder (LSR). A Login Sequence is used to perform the following tasks during the crawling and a scanning phases.

  • Access form-based password protected area
  • Replay login actions to authenticate to the website or web application
  • Restrict actions which the crawler and scanner can access (such as logout links)
  • To mark actions that require Manual Intervention each time they are accessed, such as pages with CAPTCHAs, one-time password and two-factor authentication.

A new Login Sequence may be created by following the steps below.

  • Navigate to the Targets section from the left-hand-side menu
  • Select the Target for which you wish to record a Login Sequence
  • From the General settings tab, enable the Site Login pane, and select Use pre-recorded login sequence
  • Launch the LSR by clicking on the Launch Login Sequence Recorder link.
    If you are using Acunetix on Linux, you can launch the Login Sequence Recorder from Terminal by running acunetix-login-recorder.

Target Settings - Login Sequence

After launching the Login Sequence Recorder, your browser may pop up a confirmation dialogue that you wish to open up the LSR. Click on Launch Application or Open link (depending on your browser) to open the Login Sequence Recorder.

LSR Protocol Handler Browser Notice

By default, the LSR will browse to the Target URL that you are configuring the Login Sequence for.

LSR - Navigate to URL

You may start browsing to the login page and perform a successful login. Remember to use correct and valid credentials. With each action that is recorded, the panel on the right will start to be populated with login actions. Since the LSR is recording actions and not HTTP requests, it also works with web applications that make use of anti-CSRF tokens.

Once logged in, you may wish to replay the actions as to ensure that the Login Sequence is valid and is logging in successfully. This can be done by clicking on Play at the bottom-left of the screen.

LSR - Record Login Sequence

The right-hand-side pane shows a list of actions that have been recorded. Clicking on a specific action will reveal Action Properties.on the bottom right-hand-side of the screen. Click next to record restrictions.

Recording Restrictions

Restrictions instruct the Crawler and Scanner not to follow specific links during a scan. Typically, you would want to restrict logout links or other links that might destroy a valid session in order to ensure that the scanner does not get logged out during the scan. The LSR also supports restrictions on HTTP methods commonly used in RESTful web services such as PATCH, PUT, DELETE in addition to the standard GET and POST requests.

If the link you are restricting contains a nonce or a one-time token, you may use wildcards (*) to restrict links with changing values. A Restriction may be set by following the steps below.

  • Click on the link that you wish to restrict.
  • Upon clicking the link, a dialogue will pop up asking if you wish for Acunetix to either
    • Intercept this request (either in its exact form or by using wildcards)
    • Forward such requests which match this request
    • Forward all requests, meaning that there will be no restrictions
    • In this example, we do not need to make any modifications to the Restriction, therefore we can select the first option – Restrict request using exact match
  • The Restriction will be recorded, and shown in the panel on the right. You may add as many restrictions as you need.

LSR - Restrict Link

Identifying a Valid Authentication Session

In the final step, the LSR will try to identify a valid session automatically. The session pattern is required, so that the Scanner will be able to know the difference between an invalid (logged out) and a valid (logged in) session. If the scanner is able to know that the session has been invalidated, it can replay the login sequence and validate the session again.

This is done by comparing the logged in and logged out states of the web application. There may be cases where no difference can be identified automatically. In such cases, you will need to either configure it by navigating to pages and let the LSR identify the pattern, or it can also be done manually. In addition to authentication mechanisms that rely on cookies, the LSR also supports authentication mechanisms that rely on HTML5 LocalStorage.

LSR - Session Detection

While Navigating

  • This can be done by browsing to authenticated areas of the website that will return a different response depending on the user being logged in or logged out.
  • For example, a response from the website will contain the text “Logout” if the user is logged in. If it is not found in the response, the user is not logged in.

Manually

  • The session validation can be manually configured by choosing both the request being sent and the pattern returned.

The session pattern may be verified by clicking Check Pattern at the top of the right-hand-side panel.

Once you click on Finish you will be prompted to save the .lsr file. Upload this saved file onto the Scan Target settings page.

SHARE THIS POST
THE AUTHOR
Acunetix

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.