During a scan, Acunetix 360 clicks all links and submits all forms. Sometimes, this means the session may be terminated (and therefore logged out) during an authenticated scan. However, after logging out, Acunetix 360 must continue to scan the entire website, including the areas usually only available to users after logging in.
Before starting a scan, you must verify form authentication by providing Acunetix 360 with information on which pages required logins.
In order to teach Acunetix 360 how to identify these pages, the Logout Detection feature is employed during authentication verification.
There are two types of logout detection pattern that Acunetix 360 automatically identifies:
- Redirect-based logout detection
- Keyword-based logout detection
Acunetix 360 can use either of these to determine the status of a session. However, in some cases, you may wish to configure them manually.
For further information, see Logout Problems.
Configuring Redirect-Based Logout Detection
Many websites redirect users back to the login form page when a restricted page is requested anonymously without a valid session. If your website does this, you must specify the URL to which users are redirected when they try to access a password protected page without a valid session, and Acunetix 360 will detect a Redirect-based logout.
- To do this, Acunetix 360 makes an anonymous request to a login required URL and identifies a Redirect-based logout if an HTTP 30x redirect response is detected. Acunetix 360 simply uses the last URL that the form authentication simulation end as the login required URL. (For example, the form authentication simulation may use a URL such as http://mysite.com/Dashboard/.)
- You can also use wildcards in the URL. For example, if your web application adds a random ID in the URL when accessing the login page, you can use the following URL with a wildcard:
How to Configure Redirect-Based Logout Detection in Acunetix 360
- Log in to Acunetix 360.
- From the main menu, click Scans, then New Scan.
- In the Scan Options section, select the Form Authentication tab. The Form Authentication fields are displayed.
- Enable the Form Authentication checkbox.
- In the Login Form URL field, enter the URL.
- Click New Persona.
- Complete the Username and Password fields.
- Click Verify Login & Logout. The verification operation will start.
- When the process is complete, the Login Simulation/Login Detection sections will be displayed side by side and populated.
Configuring Keyword-Based Logout Detection
Some websites do not issue a redirect when an anonymous request to a login required URL is sent, or when the identified login required URL displays a page that is very similar to the authenticated page. In such cases, Acunetix 360 will detect and use a Keyword-based logout. This type of logout detection identifies a logged out session by searching for specific keywords in the HTTP responses. Therefore, if all of the specified keywords are found in a response, Acunetix 360 determines that the session is currently logged out, or has been invalidated.
When using this method, the scanner will look for specific keywords in the HTTP response body. You can specify as many keywords as you want in this list. Acunetix 360 has to match them ALL in an HTTP response to confirm that a session has been terminated. You can also use regular expressions in the keywords. If you do, check the Is Regex? checkbox next to the keyword pattern.
How to Configure Keyword-Based Logout Detection in Acunetix 360
- Log in to Acunetix 360.
- Follow steps 2 to 9 in How to Configure Redirect-Based Logout Detection in Acunetix 360.
- Click New Keyword to specify as many keywords as required.
- Click OK if complete, or Reverify logout settings to configure again.
Configuring Authentication for Non-Supported Login Forms
If you want to configure authentication for non-supported login forms, you can write and upload custom scripts to Acunetix 360.