Login Sequence Recorder files overview

The Login Sequence Recorder (LSR) in Acunetix enables users to automate login processes for web applications, streamlining authenticated scanning. This guide offers a general overview and a step-by-step walkthrough for configuring an LSR JSON file using Chrome Developer Tools and a text editor.

This document provides an overview of the Login Sequence Recorder in Acunetix. For instructions on how to create LSR files manually, refer to the linked documentation.

Prerequisites

Google Chrome browser
Acunetix account with required privileges
Target web application URL and valid credentials
Text editor (e.g., Notepad, VS Code, Sublime Text)

Structure of an LSR File

An LSR file is structured in JSON format and consists of four main sections:

Actions: Defines step-by-step interactions with the login interface (e.g., navigation, entering credentials, and clicking login).
Restrictions: Specifies URLs or actions that should be avoided (e.g., logging out during a scan).
Session pattern: Allows the scanner to detect whether it is authenticated.
Config: Contains additional settings, such as screen dimensions and restricted elements.

Actions

The Actions array in an LSR file contains multiple steps that Acunetix follows to log in to the target web application. Each action includes the following:

type: Specifies the action type (e.g., navigate, click, change).
target: Defines the element on which the action is performed, using XPath or CSS selectors.
parameters: Contains additional metadata, such as alternative element locators and descriptions.
timeout: Defines the maximum wait time (in milliseconds) for the action to complete.

Acunetix LSR supports several types of actions to accurately replicate user interactions during login:

Change: Modifies the value of an input field (e.g., entering a username or password).
Click: Simulates a mouse click on a target element (e.g., clicking the login button).
Keypress: Mimics pressing a specific key on the keyboard (e.g., pressing "Enter" after entering credentials).
Manual: Allows user intervention when automatic actions are insufficient.
Navigate: Directly loads a specified page within the web application.

Restrictions

This component defines constraints to prevent unintended actions during the login process. For example, during a scan, we do not want the scanner to log itself out. To avoid this, you can restrict certain actions, like logging out, by specifying the URL to be avoided.

Here is an example of how to restrict the logout URL:

"restrictions":

[

"GET http://testphp.vulnweb.com/logout.php HTTP/1.1"

]

By adding such restrictions, you ensure the scanner does not perform actions outside the intended login process.

Session pattern

The session pattern is a key component that ensures Acunetix correctly identifies an authenticated session and maintains login persistence during scans. Without a proper session pattern, the scanner may fail to recognize an active session, leading to false positives or unnecessary re-login attempts.

How the Session pattern works

Acunetix determines if a session is active by sending a request to a specific URL and checking the response. If the response matches the expected pattern, the scanner assumes the session is valid. Otherwise, it will attempt to reauthenticate.

Here is an example of how the session pattern is defined:

"detection": {

"type": "statusis",

"pattern": "200",

"request": "GET http://testphp.vulnweb.com/userinfo.php HTTP/1.1\n\n",

"headers": []

}

type: Specifies the detection method. "statusis" means Acunetix checks if the response status code matches the expected value.
pattern: Defines the expected HTTP status code for a successful session. In this case, 200 (OK) indicates the session is active.
request: Represents the HTTP request Acunetix sends to verify the session. It attempts to access userinfo.php, a page requiring authentication.
headers: Lists any additional headers needed for the request (empty in this case).

Choosing the right Session pattern

To ensure reliable session detection, consider these best practices:

Pick an endpoint that requires authentication: The request should target a page that only authenticated users can access, such as a user profile or dashboard.
Check for a stable status code: The response should consistently return a 200 status when logged in and a different status (e.g., 403 or 302) when logged out.
Use a custom response body check if needed: If status codes are unreliable, Acunetix also allows checking specific text patterns in the response body to confirm session validity.

For more information on session detection, refer to Session detection blog post.

XML Representation of LSR Actions

Each action in the LSR file can be represented in XML format as follows:

Navigate action

This action is used to navigate to a specific page within the web application, directing the scanner to the desired URL.

<Target>http://testphp.vulnweb.com</Target>

</Action>

Click action

This action mimics a mouse click on a specified element on the page, such as a button or link.

</Action>

Change action

This action simulates entering a value into an input field, such as typing a username or password.

</Action>

Key press

This action mimics pressing a key on the keyboard, such as hitting "Enter" after filling in a form field.

<Key>Enter</Key>

<Value>{"code":"Enter","charCode":0,"key":"Enter","keyCode":13}</Value>

<Type>combination</Type>

</Parameters>

</Action>

Manual action

This action is used when automated steps are insufficient and require user intervention, such as entering a two-factor authentication (2FA) code.

</Action>