Post-request scripts
Post-request scripts allow you to access and manipulate responses, set global environments for use in subsequent scans (in coordination with pre-request scripts), and improve scan coverage and accuracy.
This document covers when to use post-request scripts, how to enable them, and how to write, test, and validate them.
Post-request script usage
Post-request scripts are typically used in the following scenarios:
- Case 1: Verifying if the request was successful and logging the status
- Case 2: Parsing a JSON response to extract a token (e.g., from a login response)
- Case 3: Checking for a specific message within a JSON response
For more details and examples, refer to the Use cases section.
Enable Post-request scripts
Acunetix scanners can manipulate responses since they run Post-Request Scripts automatically after a dispatched request.
You can write your script in the Post-Request Scripts tab. Alternatively, you can write it in any text editor and copy it in. |
Enable a Post-request script in Acunetix 360 On-Premises
- Select Scans > New Scan from the left-side menu.
- In the Scan Settings section, click Post-Request Script to display the new section.
- Enable the Enabled checkbox.
- Enable the Run on Login checkbox to execute the script on the login response.
- Write your script using JavaScript.
Test Post-request scripts
Acunetix 360 can check the script syntactically to make sure that it does not contain any errors. When the scanner verifies that the script contains no errors, you can begin scanning.
Test a Post-request script in Acunetix 360
- Write a Post-Request script as explained in the Enable a Post-Request Script in Acunetix 360 On-Premises section.
- Click the Test Script button to validate if it works properly. If Acunetix finds no error in your script, a confirmation dialog is displayed.
- Click Launch to start the scan.
- Once the scan has completed, if you used the logInfo,logWarn,logError functions in your script, they can be seen in the logs.
- To access logs, navigate to the Scan Summary and click the arrow by Download Scan Data button and click Download Scan Data for Windows.
To access the Scan Summary:
|
Scanning with post-request scripts in Acunetix 360 On-Demand
To use a post-request script in Acunetix 360 On-Demand you need to submit a ticket to our Support Team. Only a support engineer can add a Post-Request script in your account.
|
How to write post-request scripts
To write a post-request script, you need to specify the global variables; facets, objects and helpers; and the flow of the script (examples provided below). Even though the main goal remains the same, the implementation can vary according to your needs.
In this section we will explain the building blocks in turn and post-request script use cases.
Global Variables
In any programming language, variables are very important for storing values and retrieving them later. You can use variables to change some part of a request dynamically. Acunetix’s Post-Request Scripts enable you to use these variables with the Post and Pre-Request Scripts.
invicti.setGlobalVariable('responseStatusCode', response.StatusCode); |
The building blocks of post-request scripts: facets, objects and helpers
Facets, objects and helpers are among the ingredients of the post-request scripts feature that you can use when writing scripts. You can use the request object to access the current request Acunetix is about to send. This object also allows you to modify the HTTP request.
response.Body
Accessing the response.body is crucial for post-request scripts. The HTTP Requester provides the response body when we send requests during a scan.
response.StatusCode
Method to get the status code of the response (200, 404, 503, etc.).
response.StatusText
Method to get the status text of the response (OK, Not Found, etc.).
Invicti
The object invicti offers some properties and methods that can be useful while writing a pre-request script.
The most important one amongst them is the request method. It helps to initiate HTTP requests in a pre-request script. As shown, it is very useful when request chaining is needed.
var request = new Request('http://example.com/action'); |
CryptoJS
Acunetix’s Post-Request Script feature can use the CryptoJS library. CryptoJS is a growing collection of standard and secure cryptographic algorithms implemented in JavaScript using best practices and patterns.
Here is an example: Hashing response body with SHA512
responseBody = response.Body; |
invicti.isLoginContext
This flag indicates whether the current context is a login process.
Use cases
Case 1: Basic check and log
This script checks if the request was successful and logs the status.
if (response.StatusCode === 200) { |
Case 2: Parsing JSON and extracting a token from login response
This script assumes the response body is JSON and tries to extract a token. isLoginContext indicates that it is a response to a login process. It runs only at the beginning of the scan.
if (invicti.isLoginContext) { |
Case 3: Conditional logic based on response content
This script checks for a specific message in a JSON response.
if (response.StatusCode === 200) { |
Verify post-request scripts
Acunetix can check the script syntactically to make sure that it doesn’t contain any errors. To see whether the post-request script worked in your scan, you need to use a pre-request script and manually verify it.
To verify the post-request script, follow those steps:
- Add a global variable in your post-request script to validate its effectiveness. It will be used to confirm that the correct value has been set by the post-request script.
invicti.setGlobalVariable('Test-Header1', 'testValueForTheHeader1'); |
- Refer to that global variable in the pre-request script. The pre-request script will add this header to the requests, allowing you to view it in the user interface.
request.Headers["Test-Header1"] = invicti.getGlobalVariable('Test-Header1'); |
- Check the HTTP Request/Response after the scan. For more details on this step, refer to the below-mentioned section of verify requests and responses.
Verify requests and responses in Acunetix 360
- Select Scans > Recent Scans from the left-side menu.
- Next to the relevant scan, select Report.
- Scroll down to the Technical Report section and select the Issues tab.
- From the Scan Summary section, select one of the issues you want to check.
- Select the Request/Response tab to verify whether your script is added to the request.