Logout detection - Issues

Form Authentication settings allow you to scan web pages that require user authentication. When configured, Invicti attempts to log in before starting the crawling and attack phases. If the session expires during the scan, Invicti will try to log in again.

If this process keeps repeating, it indicates a misconfiguration in Form Authentication. Failing to correct the setup can lead to significantly longer scan times and hinder progress.

If you need to learn more about form authentication, refer to Configure and verify form authentication or to Custom Scripts for Form Authentication to modify Invicti's automatic authentication.

This document examines the causes of the logout detection issue and offers guidance on proper configuration.

Causes of logout during scanning

This section lists and explains the reasons why logout may happen during scanning. They include:

  • Change-password pages
  • Pages that trigger logouts
  • Logout buttons on the website

Change-password pages

Invicti simulates user behavior, meaning it will attempt to fill out and submit password forms using predefined values. It will also test these entry points for vulnerabilities.

Typically, password change pages require the current password for security reasons. However, if your site does not enforce this, Invicti may inadvertently change the user's password, preventing it from logging in again.

To avoid this issue, it is recommended to exclude such URLs before starting the scan.

Pages that trigger logouts

When Form Authentication is configured, Invicti will also test the login process if its URL is within the scan scope. Some websites automatically terminate all active sessions when the login page is accessed.

If your site behaves this way, you should exclude the login URL from the scan scope to prevent Invicti from repeatedly visiting it during the scan. However, to ensure no security issues on the login page are overlooked, you can run a separate scan without enabling Form Authentication.

For more information, refer to Form Authentication.

Logout buttons on the website

Invicti mimics end-user actions during a scan, navigating through site pages, filling out forms, and clicking buttons—including logout buttons that terminate the session.

To prevent unintended logouts, you can define exclusion rules in the Scope section of the New Scan screen. Invicti provides preset Exclude URLs with RegEx options to filter out words related to logout. Alternatively, you can enable Exclude Authentication Pages to automatically exclude authentication-related pages, such as login and logout, from the scan scope.

The default RegEx includes various logout and sign-out expressions, but it may not cover certain pages, such as disconnect.php. As a result, Invicti may visit these URLs and log out during the scan. To prevent this, you should manually exclude such pages from the scan scope.

For further information, see How to configure the scan scope.

Excluding elements using the CSS selector

If the logout process relies on JavaScript, Invicti may not recognize the logout buttons. This method has become more common with the rise of Single Page Applications (SPAs).

Since we can’t pinpoint a specific URL here, we can use the CSS selector to exclude the buttons or specific HTML elements and their content.

How to exclude HTML elements and their content with CSS selectors

You can exclude specific HTML elements and their exact content using:

  • element:contains("text")

NOTE:

  • Text matching is not case-sensitive.
  • Double quotes (") must be escaped with a backslash (\").

Example of a button:

<button class="my-button">Do not click</button>

  • Exclusion Pattern: button:contains("Do not click")

Example of an anchor:

<a href="/logout">Logout</a>

  • Exclusion Pattern: a:contains("Logout")

How to exclude buttons using the CSS selector

  1. From the main menu, click Scan Policies, then the policy you want to edit.
  2. Click the JavaScript tab.

  1. In the Exclude by CSS Selector field, use a CSS selector to define which element(s) should be excluded from the scan. All matched elements will be excluded with their children. To test this, try your selector in Chrome using document.querySelectorAll JavaScript function. Note that if the selector is not very specific, i.e. many items match the selector at any time, it will negatively affect scan performance.

 

« Back to the Acunetix Support Page