Recording a login sequence with the Acunetix standalone LSR 

THIS DOCUMENT IS FOR: Acunetix Online

The Acunetix standalone Login Sequence Recorder (LSR) allows you to record a login sequence or business logic (BLR) to use with an internal agent. This is useful in situations where you need to use an internal agent to scan a target that contains a login mechanism and is only accessible within your internal network.

This guide shows you how to record a login or business logic sequence for an internal target after you have installed the Acunetix standalone LSR.

How to record a login sequence

There are three stages to recording a login sequence (.lsr file):

  1. Record login actions 
  2. Record any restrictions
  3. Detect a user session

Follow the instructions in the sections below to record a login sequence using the Acunetix standalone LSR. Then upload the .lsr file to your target in Acunetix for use when scanning with an internal agent.

How to record login actions

Open the Acunetix LSR Login Sequence Recorder then follow the steps below to begin recording login actions:

  1. Click the Record button if it is not already selected.
  2. Enter your target URL, then click the arrow icon to load the web page within the Acunetix LSR.

  1. Navigate to the area of the page where you need to record the login sequence or business logic and carry out the necessary actions (for example, entering login credentials or filling in a form).
  2. The right-hand side panel displays each action that has been recorded. Select any action to edit:
  1. Select the arrows ( or ) to change the order of actions in the recording.
  2. Select  to add a new action to the recording or  to delete an action from the recording.
  3. From the Action Properties section, modify the target, timeout, or value.
  1. Select Play to playback the recording.
  2. When you are satisfied with your recording, click Next and continue with the instructions below to record restrictions.

How to record restrictions

Restrictions instruct the crawler and scanner not to follow specific links during a scan. Typically, you would restrict logout links or other links that might destroy a valid session to ensure that the scanner does not get logged out during the scan. The LSR also supports restrictions on HTTP methods commonly used in RESTful web services such as PATCH, PUT, and DELETE in addition to the standard GET and POST requests.

If the link you are restricting contains a nonce or a one-time token, you can use wildcards (*) to restrict links with changing values.

  1. Click any buttons or links on your web page that you do not want Acunetix to click when it is crawling and scanning the website.
  2. Upon clicking a button or link, a dialog appears asking if you want Acunetix to:
  • Restrict request using exact match (or by using wildcards)
  • Forward requests that match this request (Do not restrict this request)
  • Forward all requests, meaning that there will be no restrictions (Stop intercepting requests)

  1. Select your preferred option. The restriction will be recorded and shown in the panel on the right. You can add as many restrictions as you need.
  2. Click Next to proceed to the valid session detection phase.

How to detect a user session

The Acunetix LSR immediately starts to check if the request and pattern combination can be used to identify a valid session. The scanner uses the session pattern to identify the difference between an invalid (logged out) and a valid (logged in) session. If the scanner determines that the session has been invalidated, it can replay the login sequence and validate the session again.

  1. A confirmation message is displayed when the LSR has successfully identified a pattern to use for detecting session validity. Click OK to continue.

  1. There may be cases where the LSR cannot immediately identify a user session pattern. In such cases, you can still get Acunetix to identify a valid authentication session by browsing to authenticated areas of the website that will return a different response depending on the user being logged in or logged out. For example, a response from the website will contain the text Logout if the user is logged in. If it is not found in the response, it means that the user is not logged in.

When you have identified and configured the session pattern, you can verify it by clicking Check Pattern at the top of the right-hand-side panel.

  1. If the LSR is still unable to identify a user session pattern, you will have to configure one manually.

  1. Click Finish, then save your .lsr file.

Your login sequence is now ready to upload to your target for scanning with an internal agent.

How to manually configure a user session

For manual configuration of a user session, you need to identify a reliable difference that the scanner can use to verify whether or not it is logged into the site. The responses sent by the web server need to differ between those of a logged-in user and those of a user who is not logged in. In addition to authentication mechanisms that rely on cookies, the LSR also supports authentication mechanisms that rely on HTML5 LocalStorage.

There are 3 main options for session pattern validation. When you have identified and configured the session pattern, you can verify it by clicking Check Pattern at the top of the right-hand-side panel.

Option 1: Identify a visual difference on one of the web pages. For example, some web pages will show the name of the logged-in user or a Your Basket link only for logged-in users. In such cases, you can instruct the LSR which page to go to (for example, GET http://testphp.vulnweb.com/profile HTTP/1.1). Then set the 'Session VALID if' drop-down to pattern is found in response and set the 'Pattern' to the logged-in specific text or user name.  

Option 2: Identify a difference in the HTTP response headers in the logged-in web pages compared to the not-logged-in version. You can check this with Google Chrome, for example, by using the Inspect feature. The Network tab will show a Response Headers section that could include a header such as X-Logged-In: true, but would be absent or have a different value such as X-Logged-In: false. Set the 'Session VALID if' drop-down to pattern is found in headers and set the 'Pattern' to the identified header value (X-Logged-In: true in this example).

Option 3: Identify a web page that receives a numeric response when logged in (typically 200) and some other response when not logged in, such as a 404 (not found) or a 500 (server error). Set the 'Session VALID if' drop-down to: status code is and set the 'Status' value to the numeric response when logged in (200 in this example).


« Back to the Acunetix Support Page