Using the Acunetix standalone Login Sequence Recorder 

NOTE: This document applies to Acunetix Online.

The Acunetix standalone Login Sequence Recorder (LSR) allows you to record a login sequence or business logic (BLR) to use with an internal agent. This is useful in situations where you need to use an internal agent to scan an internal target and the target contains a login mechanism.

This guide shows you how to install and use the Acunetix standalone Login Sequence Recorder on Windows and Linux, which you can use to record and edit login or business logic sequences for an internal target.

IMPORTANT: The Standalone LSR / BLR needs to be installed on a machine in the same network as the target.

What is an LSR vs BLR?

An LSR is used to perform the following tasks during the crawling and scanning phases:

  • Access form-based password-protected areas.
  • Replay login actions to authenticate to the website or web application.
  • Restrict actions that might invalidate the session such as logout links.

A BLR allows you to:

  • Define multiple input sequences to permit the scanner to reach and test all variations of multi-step web forms or other web application workflows.
  • Define input sequences that fulfill particular constraints to reach parts of a web application, which an automated scanner would otherwise not be able to reach and test.

Installing the Acunetix standalone LSR/BLR

Follow the steps below to download, install, and open the Acunetix standalone Login Sequence Recorder on Windows or Linux.

BLR Mode: Follow the instructions below to install the Acunetix standalone LSR. Then, to start the LSR in BLR mode, open the Command Prompt, change to the Acunetix LSR directory, then run the following command: node lsr logic

How to install the Acunetix LSR on Windows

  1. Click the link below to download the acunetix_lsr_setup.exe file.

  1. Run the installer.

When installation is complete, you will have a program group with two items; one to record a login sequence and another to edit a login sequence.

  1. Open the Acunetix Login Sequence Recorder to begin recording a login sequence for an internal target.

How to install the Acunetix LSR on Linux

  1. Click the link below to download the acunetix_lsr.tar.gz file.
  1. Extract the files.

  1. Open Terminal from the newly created folder.

  1. Execute one of the following commands:
  1. Launch the LSR Recorder: ./node lsr

  1. Launch the LSR Editor: ./node lsr standalone

  1. Launch the BLR Recorder: ./node lsr logic

Recording a login sequence

There are three stages to recording a login sequence (.lsr file) which can then be uploaded and used when scanning an internal target with an internal agent. Follow the instructions below to first record login actions, then record any restrictions, and finally detect a user session.

How to record login actions

  1. Click the Record button if it is not already selected.
  2. Enter the target URL, then click the arrow icon to load the web page within the Acunetix LSR.

  1. Navigate to the area of the page where you need to record the login sequence or business logic and carry out the necessary actions (for example, entering login credentials or filling in a form).
  2. The right-hand side panel displays each action that has been recorded. Select any action to edit:
  1. Select the arrows ( or ) to change the order of actions in the recording.
  2. Select  to add a new action to the recording or  to delete an action from the recording.
  3. From the Action Properties section, modify the target, timeout, or value.
  1. Select Play to playback the recording.
  2. When you are satisfied with your recording, click Next.

How to record restrictions

Restrictions instruct the crawler and scanner not to follow specific links during a scan. Typically, you would restrict logout links or other links that might destroy a valid session to ensure that the scanner does not get logged out during the scan. The LSR also supports restrictions on HTTP methods commonly used in RESTful web services such as PATCH, PUT, DELETE in addition to the standard GET and POST requests.

If the link you are restricting contains a nonce or a one-time token, you may use wildcards (*) to restrict links with changing values.

  1. Click any buttons or links on your web page that you do not want Acunetix to click when it is crawling and scanning the website.
  2. Upon clicking a button or link, a dialog appears asking if you want Acunetix to either:
  1. Restrict request using exact match (or by using wildcards)
  2. Forward requests that match this request (Do not restrict this request)
  3. Forward all requests, meaning that there will be no restrictions (Stop intercepting requests)

  1. Select your preferred option. The restriction will be recorded and shown in the panel on the right. You can add as many restrictions as you need.
  2. Click Next to proceed to the valid session detection phase.

How to detect a user session

The Acunetix LSR immediately starts to check if the request and pattern combination can be used to identify a valid session. The session pattern is used by the scanner to identify the difference between an invalid (logged out) and a valid (logged in) session. If the scanner is able to determine that the session has been invalidated, it can replay the login sequence and validate the session again.

  • A confirmation message is displayed when the LSR has successfully identified a pattern to use for detecting session validity. Click OK to continue.

  • There may be cases where the LSR cannot immediately identify a user session pattern. In such cases, you can still get Acunetix to identify a valid authentication session by browsing to authenticated areas of the website that will return a different response depending on the user being logged in or logged out. For example, a response from the website will contain the text Logout if the user is logged in. If it is not found in the response, it means that the user is not logged in. When you have identified and configured the session pattern, you can verify it by clicking Check Pattern at the top of the right-hand-side panel.

  • Click Finish, then save your .lsr file. Your login sequence is now ready to upload and use with an internal agent for scanning an internal target.

How to manually configure a user session

For manual configuration of a user session you need to identify a reliable difference that the scanner can use to verify whether or not it is logged into the site. The responses sent by the web server need to differ between those of a logged-in user and those of a user who is not logged in. In addition to authentication mechanisms that rely on cookies, the LSR also supports authentication mechanisms that rely on HTML5 LocalStorage.

There are 3 main options for session pattern validation. When you have identified and configured the session pattern, you can verify it by clicking Check Pattern at the top of the right-hand-side panel.

Option 1: Identify a visual difference on one of the web pages. For example, some web pages will show the name of the logged-in user or a Your Basket link only for logged-in users. In such cases, you can instruct the LSR which page to go to (for example, GET http://testphp.vulnweb.com/profile HTTP/1.1). Then set the 'Session VALID if' drop-down to pattern is found in response and set the 'Pattern' to the logged-in specific text or user name.  

Option 2: Identify a difference in the HTTP response headers in the logged-in web pages compared to the not-logged-in version. You can check this with Google Chrome, for example, by using the Inspect feature. The Network tab will show a Response Headers section that could include a header such as X-Logged-In: true, but would be absent or have a different value such as X-Logged-In: false. Set the 'Session VALID if' drop-down to pattern is found in headers and set the 'Pattern' to the identified header value (X-Logged-In: true in this example).

Option 3: Identify a web page that receives a numeric response when logged in (typically 200) and some other response when not logged in, such as a 404 (not found) or a 500 (server error). Set the 'Session VALID if' drop-down to: status code is and set the 'Status' value to the numeric response when logged in (200 in this example).

How to edit an LSR file

  1. Open the Acunetix LSR Login Sequence Editor.
  2. Click Open, navigate to your saved .lsr file, and select Open.
  3. The editor window populates with your recorded login sequence actions. Select any step to edit:
  1. Select the arrows ( or ) to change the order of steps in the recording.
  2. Select  to add a new step to the recording or  to delete a step from the recording.
  3. From the Action Properties section, modify the target, timeout, or value.

  1. Select the Restrictions tab.
  2. Add or remove any restrictions ( or ). When adding a restriction, type the HTTP request into the Restriction box.

  1. Select the Session detection tab.
  2. Click in the Session Validation Request box to edit the session pattern.
  3. Set the Session Validation Pattern.

  1. Click Save as… 

Using a login sequence with an internal target

When configuring your target settings, the Site Login section allows you to upload a pre-recorded login sequence.

  1. On the Target Settings page, enable the Site Login toggle.
  2. Select Use pre-recorded login sequence.
  3. Upload your Login Sequence by selecting your saved .lsr file.

Or, in the Business Logic Recorder section, you can import a BLR file.

  1. In the Business Logic Recorder section of the Target Settings page, select Import BLR.
  2. Upload your Business Logic Recording by selecting your saved .blr file.

For more information, refer to Configuring Targets.

« Back to the Acunetix Support Page