Target Settings - Site Login (scan restricted areas)

If your Target web application has restricted areas that require logging into the site, you may need to configure the target settings so that Acunetix is able to scan those restricted areas. This is done through the Site Login section on the Target Settings page for your selected Target.

Configuring Site Login

To access the Site Login settings, click the Site Login toggle on the Target Settings page for your selected target web application. You now have four main options available to you:

Automatic Login

Selecting this option tells Acunetix to automatically detect restricted areas and try to identify the necessary steps to log in. This will work for most web applications that use a simple login process. You need to provide the Username and Password to access the restricted area. The scanner will automatically detect the login link, the logout link, and the mechanism used to maintain the session active. Using the provided login credentials, Acunetix can then scan the restricted areas of your target web application.

Pre-recorded login sequence

For more complex web applications, which might be using a more elaborate login mechanism, you need to Launch the Login Sequence Recorder (LSR) and record a login sequence (*.lsr file), which can then be uploaded and saved with your Target settings. Alternatively, you can convert and import a Selenium script file. For more information, refer to Converting Selenium Scripts to Acunetix LSR Files.

A Login Sequence is used to perform the following tasks during the crawling and scanning phases:

  • Access form-based password-protected areas
  • Replay login actions to authenticate to the website or web application
  • Restrict actions that the crawler and scanner can access (such as logout links)
  • Mark actions that require manual intervention each time they are accessed, such as pages with CAPTCHAs, one-time passwords, and two-factor authentication.

How to record a login sequence

  1. Select Use pre-recorded login sequence.
  2. Click New to launch the Login Sequence Recorder.

  1. By default, the LSR will browse to the Target URL that you are configuring the Login Sequence for.

  1. Start browsing the login page and perform a successful login. Remember to use correct and valid credentials. With each action that is recorded, the panel on the right will start to be populated with login actions. Since the LSR is recording actions and not HTTP requests, it also works with web applications that make use of anti-CSRF tokens.

  1. Once logged in, you may wish to replay the actions to ensure that the Login Sequence is valid and is logging in successfully. To do this, click Play at the bottom-left of the LSR window.

  1. The right-hand-side pane shows a list of actions that have been recorded. Clicking on a specific action will reveal Action Properties on the bottom right-hand side of the screen. Click Next to record restrictions.
  2. When you have finished recording restrictions, click Next to detect the user session.
  3. Once you have configured a user session pattern, click Finish. You will be returned to the Target Settings page.
  4. Click Save to upload the login sequence file to the Target.

Manual Intervention

NOTE: This feature is not available in Acunetix Online.

Some login pages require additional steps before the "Login" process can be completed – some examples would be CAPTCHA, Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA), and other one-time password (OTP) mechanisms. As you record your login sequence, you will encounter the point where you need to intervene manually to perform a step that cannot be automated.

  • When you encounter this point, select the manual option.

  • The LSR will keep track of this; when you are performing a scan, Acunetix will pause and prompt you for your manual intervention with a popup notification.
  • When you have completed the manual intervention actions, make sure that any actions created by the LSR that are part of the manual intervention process are deleted by selecting each superfluous action, and deleting it by clicking the  delete icon.
  • Now you can continue with the recording of the remaining Login Sequence actions.

How to record restrictions

Restrictions instruct the Crawler and Scanner not to follow specific links during a scan. Typically, you may want to restrict logout links or other links that might destroy a valid session in order to ensure that the scanner does not get logged out during the scan. The LSR also supports restrictions on HTTP methods commonly used in RESTful web services such as PATCH, PUT, and DELETE in addition to the standard GET and POST requests. If the link you are restricting contains a nonce or a one-time token, you may use wildcards (*) to restrict links with changing values.

  1. On the Record Restrictions tab of the LSR window, click on the link that you wish to restrict.
  2. Upon clicking the link, a dialogue will pop up asking if you want Acunetix to either:
  1. Intercept this request (either in its exact form or by using wildcards)
  2. Forward such requests that match this request
  3. Forward all requests, meaning that there will be no restrictions

Make your selection. In this example, we do not need to make any modifications to the Restriction. Therefore, we can select the first option – Restrict request using exact match.

  1. The Restriction will be recorded and shown in the panel on the right. You can add as many restrictions as you need.
  2. Click Next to detect the user session.

How to detect the user session

In the final step, the LSR will try to identify a valid session automatically. The session pattern is required, so that the scanner will know the difference between an invalid (logged out) and a valid (logged in) session. If the scanner can determine that the session has been invalidated, it can replay the login sequence and validate the session again.

Detecting the user session is achieved by comparing the logged-in and logged-out states of the web application. There may be cases where no difference can be identified automatically. In such cases, you will need to either configure it by navigating to pages and letting the LSR identify the pattern, or it can also be done manually. In addition to authentication mechanisms that rely on cookies, the LSR also supports authentication mechanisms that rely on HTML5 LocalStorage.

To identify a valid authentication session while navigating:

  • Browse to authenticated areas of the website that will return a different response depending on the user being logged in or logged out.
  • For example, a response from the website will contain the text 'Logout' if the user is logged in. If it is not found in the response, the user is not logged in.

How to manually configure a user session pattern

If Acunetix is unable to identify a user session pattern, you will have to configure one manually. The important point is that the responses sent by the web server will differ between those of a logged-in user and those of a user who is NOT logged in. Your task is to identify a reliable difference that the scanner can use to verify whether or not it is logged into the site.

When you have identified and configured the session pattern, it can be verified by clicking Check Pattern at the top of the right-hand side panel.

There are 3 main options for session pattern validation:

  • Option 1: Identify a visual difference on one of the web pages. Some web pages will show, for example, a "Your Basket" link, only to logged-in users, or perhaps the name of the logged-in user will be displayed (which obviously would not appear if there is no user logged-in). In such cases, you can instruct the LSR which page to go to by simply typing in something like this in the Session Validation Request text area:

GET https://juice-shop.herokuapp.com/profile HTTP/1.1

Then set the dropdown labeled 'Session VALID if:' to pattern is found in response, and enter the logged-in specific text or user name to the Pattern field.

  • Option 2: Identify a difference in the HTTP Response Headers in the logged-in web pages compared to the not-logged-in version. You can check this with Google Chrome, for example, by using the "Inspect" feature. The Network tab will show a "Response Headers" section that could include a header such as "X-Logged-In: true", but would be absent or have a different value such as "X-Logged-In: false".

Now you can set the dropdown labeled 'Session VALID if:' to pattern is found in headers, and enter the identified header value into the Pattern field.

  • Option 3: Identify a web page that receives a numeric response when logged in (typically 200), and some other response when not logged in, such as a 404 (not found) or a 500 (server error). Set the dropdown labelled 'Session VALID if:' to status code is, and enter the valid value into the Status field.

How to set up an OAuth login sequence

Acunetix supports the OAuth2 authentication mechanism, allowing you to configure targets for web applications that require OAuth2. To create a new OAuth Login Sequence, follow the steps below:

  1. Navigate to the Target Settings page for the target you wish to record a Login Sequence.
  2. Scroll down to the Site Login section and click the Site Login toggle (enabled is purple).
  3. Select Use OAuth for this site. This will expose the configuration fields.
  4. Set the Grant Type to one of the OAuth2 Authentication Flow mechanisms. The supported Grant Types are:
  1. Authorization Code
  2. Implicit
  3. Client Credentials
  4. Password Credentials
  1. Set the Access Token URL and the Authorization URL (only for the Authentication Code Grant Type) for the Authentication Provider. You can obtain the URL(s) from the Authentication Provider (eg. Google or Facebook).
  2. Set the Redirect URI for your target. This is the URI that the user will be redirected to after completing the login process with the Authorization provider.
  3. Set the Client ID and Client Secret fields for your target. These are unique values assigned to your web application by the Authentication Provider when you registered your web application with the Authentication Provider for its login functionality.
  4. Some OAuth2 authentication flows require the State field to be populated.
  5. Set the Scope field to a space-delimited list of elements for which permission is being requested.
  6. Some OAuth2 authentication flows require the Username and Password fields to be filled in.

  1. OAuth2 authentication flows that require a 3-legged sequence, such as filling username and/or password fields in a separate step, or requiring clicking on a Confirm or Allow button, are also supported. Clicking the 3-Legged Sequence button will launch the Login Sequence Recorder window to present the OAuth2 Authentication Provider's dialog.

When you have completed the login sequence, the window will close automatically.

  1. Click Save at the top of the Target Settings page to save your target's settings.

« Back to the Acunetix Support Page