Form Authentication settings enable you to scan the pages on your website that require user authentication. When Form Authentication is configured, Acunetix 360 tries to login to the website before beginning the crawling and attacking phase. Then, if Acunetix 360 detects the session has ended, it will attempt to log in again during the scan.
- If you notice this happening repeatedly, it means that you have incorrectly configured the Form Authentication.
- If you do not fix the configuration, the scan duration can increase significantly and be prevented from progressing properly. In this article, we will talk about what causes this and how you can configure correctly.
This topic explains how to analyze and solve these types of session problems.
Causes of Logout During Scanning
This section lists and explains the reasons why logout may happen during scanning. They include:
- Logout Buttons on the Website
- Pages That May Cause Logouts
- Change Password Pages
Logout Buttons on The Website
Acunetix 360 simulates the activities of the end user during a scan, navigating the pages on the site, filling out forms and clicking on buttons. This includes logout buttons for terminating the session on the site.
In the Scan Scope tab of the New Scan window, you can define the URLs you want to exclude. Acunetix 360 has a set of pre-settings in the Exclude URLs with RegEx section to exclude words that may be related to logout.
Although the default RegEx covers various logout and sign out expressions, it doesn’t cover pages such as disconnect.php. Therefore, Acunetix 360 will visit those URLs and logout unless you exclude them manually.
For further information, see How to Configure the Scan Scope in Acunetix 360.
Excluding Buttons Using the CSS Selector
Since there isn’t a specific URL we can pinpoint here, we can use the CSS selector to exclude the buttons.
How to Exclude Buttons Using the CSS Selector in Acunetix 360
- From the main menu, click Scan Policies, then the policy you want to edit.
Pages That May Cause Logouts
When Form Authentication is configured, Acunetix 360 will also attack it if the URL in which the login process takes place is in the Scope of the scan. Some websites end all existing sessions when the login page is called. If your site does this, you should exclude the login URL from the Scan Scope, to ensure Acunetix 360 does not visit the login page during the scan. However, in order to make sure that you do not miss anything on the login page, you can run a scan without setting Form Authentication.
For further information, see Configuring and Verifying Form Authentication in Acunetix 360.
Change Password Pages
Acunetix 360 simulates user behavior, so if your site has change password forms, Acunetix 360 will try to fill in these forms with defined values and send them. Acunetix 360 will also attack these entry points.
It is usual behaviour for the password change pages to ask for the current password as a matter of security. But if your site does not have such a structure, Acunetix 360 may change the password of the current user. The result of this is that Acunetix 360 is unable to login again. If your site has such pages, it is useful to exclude relevant URLs before initiating the scan.
How Does Logout Detection Work?
Acunetix 360 uses two methods to determine whether a logout has occurred:
- Redirect Based Logout Detection
- Keyword Based Logout Detection
A third option involves shutting down the Logout detection mechanism.
Redirect Based Logout Detection
In order to detect the logout mechanism, Acunetix 360 makes a request to the login page without a logged in session. If the page redirects Acunetix 360 to a different page, Acunetix 360 deduces that every time it encounters that redirected page, it has been logged out from the current session.
Sometimes, we need to interfere with the Redirect URL Pattern. For example, if we send a request to dashboard.php without a session, we will be redirected to this URL:
The purpose of the site is to redirect the user to the page in the return_url parameter after logging in.
Let's say that Acunetix 360 detects this parameter for the login URL mentioned above. Then, the session somehow ended when it visited the contact.php page. In this instance, the site would redirect to this URL:
But this doesn't match the Redirect URL Pattern Acunetix 360 caught before. This time Acunetix 360 will not realize that the logout took place, and the scan will end earlier than it should. To solve this problem, we need to update the Redirect URL Pattern using the wildcard character.
This means that, whatever value the return_url parameter is, Acunetix 360 will successfully detect the logout.
Keyword Based Logout Detection
Keyword Based Logout Detection is a mechanism that determines whether a logout has occurred when it detects certain keywords in an HTTP response. These keywords are not on the login page, but on the page that is logged out.
Acunetix 360 will make suggestions to you automatically based on the patterns on the page, but you can also configure them manually.
You can also use regular expressions in the keywords. If you do, you must enable the Is Regex? option next to the keyword pattern.
We have to make sure that the keywords that we defined are only found on the logout page. Because if these words appear in any URL during scanning, Acunetix 360 will attempt to log in again, assuming that a logout has already happened. Instead of using generic keywords, you will get better results by using RegEx expressions.
For example, instead of specifying the username as a keyword, if we specify a RegEx expression instead, this provides a stricter match:
The reason is that username is a generic keyword, so it can be on any other page. This causes Acunetix 360 to log in again, even if there is no logout.
If your keyword patterns match the .js and .css files, and you experience a logout problem, you can exclude the URLs that contain these files. When you exclude .js and .css files, Acunetix 360 will continue to request these files to make the site fully functional, but it will not detect the logout.
We recommend that you use the Redirect Based Logout Detection method if your site has a Redirect Based structure, because it is difficult to make sure that the keywords you may use are not already on the pages that are logged in.
If none of these logout detection methods fit the structure on your website, or cause problems, you can disable logout detection by selecting None. Also, make sure that the pages that could cause logout are excluded because otherwise Acunetix 360 will continue operating even if the session ends.
Logout problems interfere with efficient security scanning. They can extend the scan time and result in less accurate scan results. If you are experiencing logout problems, the solutions provided here should help to ensure Acunetix 360 retains the logged in session prior to crawling and scanning. This will reduce your scan time and ensure that the website is scanned properly. But if you are still experiencing logout problems, please contact firstname.lastname@example.org.