Scanning restricted areas (Site Login)

If your target web application has restricted areas that require logging into the site, you may need to configure the target settings so that Acunetix can scan those restricted areas. This is done through the Site Login section on the Target Settings page for your selected target. It is also referred to as form authentication. Each available option is explained below.

Automatic Login

Selecting this option tells Acunetix to automatically detect restricted areas and try to identify the necessary steps to log in. This will work for most web applications that use a simple login process. You need to provide a valid username and password for the scanner to access the restricted area. The scanner will automatically detect the login link, the logout link, and the mechanism used to maintain the session active. Using the provided login credentials, Acunetix can then scan the restricted areas of your target web application. The auto-login option also supports the use of Time-based One-Time Passwords (TOTP) in the login mechanism. For more information, refer to Configuring auto-login and Configuring form authentication with OTP.

Pre-recorded login sequence

For more complex web applications, which might be using a more elaborate login mechanism, you need to launch the built-in Login Sequence Recorder (LSR) and record a login sequence (*.lsr file), which is uploaded and saved with your target settings. Alternatively, you can convert and import a Selenium script file. For more information, refer to Converting Selenium Scripts to Acunetix LSR Files.

A login sequence is used to perform the following tasks during the crawling and scanning phases:

  • Access form-based password-protected areas
  • Replay login actions to authenticate to the website or web application
  • Restrict actions that the crawler and scanner can access (such as logout links)
  • Mark actions that require manual intervention each time they are accessed, such as pages with CAPTCHAs, one-time passwords, and two-factor authentication.

The built-in LSR also supports the use of Time-based One-Time Passwords (TOTP) in the login mechanism. For more information, refer to Recording a login sequence and Configuring form authentication with OTP.

OAuth

Acunetix supports the OAuth2 authentication mechanism, enabling you to configure scans for websites that require it. For information about adding an OAuth login sequence to a target, refer to Configuring OAuth2 authentication.

« Back to the Acunetix Support Page