Get a demo
100% Signal 0% Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Application Security Platform
Authentication

Record login sequence

This document is for:
Invicti Platform

Recording a login sequence (*.lsr file) for a target may be necessary for scanning web applications with elaborate login mechanisms, such as form-based password-protected areas. A login sequence has three main parts:

  • record login actions,
  • record restrictions,
  • and detect a user session.

This document explains how to create a login sequence for a target using the built-in Invicti Platform Login Sequence Recorder (LSR). If you encounter any LSR issues, refer to the Session detection and LSR advanced troubleshooting documents for instructions on how to resolve them.

Step 1: Record a login sequence

  1. Select Inventory > Targets from the left-side navigation menu.
  2. Click on the relevant target in your list of targets to access the Configure Target page.
  3. Select Authentication from the left-side menu.
  4. In the Authentication method, select Login sequence recorder.

  1. Here, you can either use a pre-recorded sequence or record a new sequence.
  2. To upload a pre-recorded sequence, click Upload sequence, select an .lsr file from your computer and confirm. Click Save target configuration to confirm.
  3. To record a new sequence, click the New sequence button.
  4. The LSR window will open and automatically navigate to the target URL.
  5. Within the LSR window, navigate to the login page and perform a successful login. Remember to use correct and valid credentials.
  • With each action recorded, the panel on the right will start to be populated with login actions. Since the LSR records actions and not HTTP requests, it also works with web applications that use anti-CSRF tokens.

  1. Once logged in, you can replay the actions to ensure that the login sequence is valid and logging in successfully. To do this, click Play at the bottom left of the LSR window.
  2. Clicking on a specific action in the right-hand panel reveals its Action Properties, where you can modify the target, timeout, or value.

Continue with step 2: Record restrictions below.

Step 2: Record restrictions

Restrictions instruct the crawler and scanner not to follow specific links during a scan. Typically, you may want to restrict logout links or other links that might destroy a valid session in order to ensure that the scanner does not get logged out during the scan. The LSR also supports restrictions on HTTP methods commonly used in RESTful web services such as PATCH, PUT, and DELETE in addition to the standard GET and POST requests. If the link you are restricting contains a nonce or a one-time token, you may use wildcards (*) to restrict links with changing values.

  1. Click Next to begin recording restrictions.
  2. Click any buttons or links on your web page that you do not want Invicti to click when it is crawling and scanning the website.
  3. Upon clicking a button or link, a dialog will pop up asking if you want Invicti to:
  1. Restrict request using exact match (or by using wildcards)
  2. Forward requests that match this request (Do not restrict this request)
  3. Forward all requests, meaning that there will be no restrictions (Stop intercepting requests)

Make your selection. In this example, we do not need to modify the restriction, so we can select the first option—restrict request using exact match.

  1. The restriction will be recorded and shown in the panel on the right. You can add as many restrictions as you need.
  2. Click Next to proceed to the valid session detection phase.

  1. When you have finished recording restrictions, continue with step 3: Detect the user session below.

Step 3: Detect the user session

In the final step, the LSR will try to identify a valid session automatically. The session pattern is required, so that the scanner will know the difference between an invalid (logged out) and a valid (logged in) session. If the scanner can determine that the session has been invalidated, it can replay the login sequence and validate the session again.

Detecting the user session is achieved by comparing the logged-in and logged-out states of the web application. There may be cases where no difference can be identified automatically. In such cases, you will need to either configure it by navigating to pages and letting the LSR identify the pattern, or it can also be done manually. In addition to authentication mechanisms that rely on cookies, the LSR also supports authentication mechanisms that rely on HTML5 LocalStorage.

To identify a valid authentication session while navigating:

  1. Browse to authenticated areas of the website that will return a different response depending on the user being logged in or logged out.
  2. For example, a response from the website will contain the text 'Logout' if the user is logged in. If it is not found in the response, the user is not logged in.

Step 4: Complete the sequence

  1. Once you have configured restrictions as well as a user session pattern, click Finish.
  2. You will be returned to the Configure target page, and the login sequence you just created will be automatically attached to the target.

Steps to manually configure a user session pattern

If Invicti is unable to identify a user session pattern, you will have to configure one manually. The important point is that the responses sent by the web server will differ between those of a logged-in user and those of a user who is NOT logged in. Your task is to identify a reliable difference that the scanner can use to verify whether or not it is logged into the site.

Once you have identified and configured the session pattern, you can verify it by clicking Check Pattern at the top of the right-hand side panel.

There are 3 main options for session pattern validation:

Option 1: Validate by visual/text pattern on a web page

  1. Identify a visual difference on one of the web pages. Some web pages will show, for example, a "Your Basket" link, only to logged-in users, or perhaps the name of the logged-in user will be displayed (which obviously would not appear if there is no user logged-in). In such cases, you can instruct the LSR which page to go to by simply typing in something like this in the Session Validation Request text area:

GET https://juice-shop.herokuapp.com/profile HTTP/1.1

  1. Then set the dropdown labeled 'Session VALID if:' to pattern is found in response, and enter the logged-in specific text or user name to the Pattern field.

Option 2: Validate by HTTP response header

  1. Identify a difference in the HTTP Response Headers in the logged-in web pages compared to the not-logged-in version. You can check this with Google Chrome, for example, by using the "Inspect" feature. The Network tab will show a "Response Headers" section that could include a header such as "X-Logged-In: true", but would be absent or have a different value such as "X-Logged-In: false".

  1. Now you can set the dropdown labeled 'Session VALID if:' to pattern is found in headers, and enter the identified header value into the Pattern field.

Option 3: Validate by HTTP status code

  1. Identify a web page that receives a numeric response when logged in (typically 200), and some other response when not logged in, such as a 404 (not found) or a 500 (server error). Set the dropdown labeled 'Session VALID if:' to status code is, and enter the valid value into the Status field.

Top Articles

What is Invicti?

Overview of Scan Policies

Scheduling Scans

Managing Integrations

Built-In Reports

Share This Article