Authenticated Scans on Applications That Make Use of One-time Tokens or CAPTCHAs

One-Time Tokens add another layer of security, supplementing the username and password with a code that only the individual user has access to (for example by SMS or via a security key). A CAPTCHA has a different purpose, as it provides a test used to identify whether the user is human or an automated system.

Acunetix supports scanning applications that make use of both these security mechanisms. These randomly generated codes or patterns can be manually entered during a scan. This is usually configured as a part of the Login Sequence, and the action is called “Manual Intervention”.

To configure Manual Intervention you will need to navigate to Targets > Click on your scan target > Enable the ‘Site Login’ switch > Select the ‘Use pre-recorded login sequence’ option > Click on the ‘Launch Login Sequence Recorder’ link to launch the LSR and create your login sequence as you would normally do.

During the authentication flow, when you reach the step requiring manual intervention you simply need to click on the ‘Add new custom action’ icon in the toolbar and select ‘manual’:

manual intervention

The Actions recorded should look as follows:

After having added the manual step, stop recording Actions (by selecting the Record icon) and log into the application by providing the One-Time password or Captcha. Proceed to configuring restrictions and session detection as described in this guide.

Once completed you will be able to import your login sequence and save the changes to the Target.

When the Target is scanned, Acunetix will immediately remind you that the Target requires Manual Intervention. You can dismiss the initial notification since it is just a warning so that you do not leave the scan unattended, at least until you perform the manual action.

manual action alert

After the scan initiates, another notification will be shown, which mentions that a scan currently requires manual intervention.

notifications

Click on the bell icon at the top right corner and click on “Resolve this issue” that can be seen in the Manual Intervention notification.

Acunetix will then open up the Manual Intervention window where you can perform the manual action (ie. entering the one time password, or bypassing the CAPTCHA). Proceed to close this window. The scan will then resume with the information that you have supplied.

Should you require any assistance in configuring an LSR using Manual Intervention, contact our support team at support@acunetix.com

Share this post
Bernhard Abele Technical Support Engineer Acunetix.
LinkedIn: https://www.linkedin.com/in/bernhard-abele-a941b3177/

Bernhard Abele is a Technical Support Engineer working for Acunetix. He's a recent graduate in a Bachelors of Science (Hons.) in Computer Systems and Networking, and is gaining experience in Web Application Security, with the hope on developing enough skills to becoming an Application Security Specialist.