The majority of web applications today make use of a login mechanism where the user must supply a set of credentials in order to navigate to authenticated areas of the web application. This allows access to restricted content and content that is customised to the logged in user.

Most of the interesting data for a hacker is often found in a restricted area. For example, an SQL Injection vulnerability in a restricted area might allow the attacker to access a database that holds more sensitive information. A Cross Site Scripting (XSS) vulnerability in a restricted area could allow the attacker access to the victims’ cookies, or possibly log all keystrokes performed in the restricted area.

The fundamental goal of a black-box scanner is to be able to identify vulnerabilities in a web application, by examining the web application with no prior knowledge of how that application works. Upon encountering a login form, the scanner needs some way of knowing how to authenticate successfully. It also needs to be able to understand when it gets logged out, so it can login again and proceed with scanning the restricted area. A scanner can get logged out for various reasons – for example, by clicking a link or making an HTTP request that would log the user out, or the web application may terminate the user session after a period of time. At this point the scanner needs a mechanism to detect that it is logged out, and if so, log back in again.

Given how complex login mechanisms have become, a scanner must be flexible enough to support all the ways that a web developer may design the web application’s login process. It must also be able to ignore any sensitive requests (e.g. logout link) and maintain a valid session throughout the entirety of the scan.

Doing so will allow the scanner to maintain an authenticated state during the scan. This will result in coverage of the authenticated area of the website or web application. This is particularly important when scanning web applications where the entire application lies behind an authentication page (e.g. a login portal).

However, teaching an automated scanner to do this effectively and accurately is a challenging task. Simple mechanisms which work by replaying captured requests or try to automatically determine the login fields with a set of user-defined credentials simply reach a dead end when encountering complex authentication which make use of tokens/nonces or CAPTCHAs.

For instance, automatically authenticating to a website or web application that makes use of a one-time token (nonce) in order to authenticate the user would prove difficult if the scanner is unable to generate a new token or nonce each and every time it needs to login to the web application.

Using Acunetix Login Sequence Recorder

In order to overcome such obstacles, the scanner needs to allow users to record login actions which are replayed by the scanner when required during the scan. The Acunetix Login Sequence Recorder allows users to easily record a set of login actions that define the actions required to login to the web application. This is simply done by browsing to the login page and logging in as you would do in a browser. The Acunetix Login Sequence Recorder will record all the actions taken.

The Restrictions page allows users to define a list of sensitive requests which the scanner should not process, such as a logout links.

The Acunetix Login Sequence Recorder will also detect a way to check if the session is still active. This is done by checking for patterns within the page which given an indication of an active (or inactive session).

authenticated scan

Juxhin Dyrmishi Brigjaj

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.