Get a demo
AppSec with Zero Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Support
Scans

Invicti Standard – Logout detection – Issues

This document is for:
Invicti Standard

Form Authentication settings allow you to scan web pages that require user authentication. When configured, Invicti attempts to log in before starting the crawling and attack phases. If the session expires during the scan, Invicti will try to log in again.

If this process keeps repeating, it indicates a misconfiguration in Form Authentication. Failing to correct the setup can lead to significantly longer scan times and hinder progress.

If you need to learn more about form authentication, refer to Configure form authentication, Verify form authentication, or Custom Scripts for Form Authentication to modify Invicti's automatic authentication.

This document examines the causes of the logout detection issue and offers guidance on proper configuration.

Activity panel

During a scan, you can view the login phase in the Activity Panel.

When the login process is successful, you will see a log similar to the following.

If you see numerous login events in the Logs during a scan, it indicates that the scanner is unable to maintain a logged-in session.

This happens because:

  • Invicti is logging out unexpectedly
  • Invicti repeatedly attempts to log in, assuming the session has ended

Causes of logout during scanning

This section lists and explains the reasons why logout may happen during scanning. They include:

  • Change-password pages
  • Pages that trigger logouts
  • Logout buttons on the website

Change-password pages

Invicti simulates user behavior, meaning it will attempt to fill out and submit password forms using predefined values. It will also test these entry points for vulnerabilities.

Typically, password change pages require the current password for security reasons. However, if your site does not enforce this, Invicti may inadvertently change the user's password, preventing it from logging in again.

To avoid this issue, it is recommended to exclude such URLs before starting the scan.

Pages that trigger logouts

When Form Authentication is configured, Invicti will also test the login process if its URL is within the scan scope. Some websites automatically terminate all active sessions when the login page is accessed.

If your site behaves this way, you should exclude the login URL from the scan scope to prevent Invicti from repeatedly visiting it during the scan. However, to ensure no security issues on the login page are overlooked, you can run a separate scan without enabling Form Authentication.

For more information, refer to Configure form authentication

Logout buttons on the website

Invicti mimics end-user actions during a scan, navigating through site pages, filling out forms, and clicking buttons—including logout buttons that terminate the session.

To prevent unintended logouts, you can define exclusion rules in the Scope section of the New Scan screen. Invicti provides preset Exclude URLs with RegEx options to filter out words related to logout. Alternatively, you can enable Exclude Authentication Pages to automatically exclude authentication-related pages, such as login and logout, from the scan scope.

The default RegEx includes various logout and sign-out expressions, but it may not cover certain pages, such as disconnect.php. As a result, Invicti may visit these URLs and log out during the scan. To prevent this, you should manually exclude such pages from the scan scope.

For further information, see How to Configure the Scan Scope.

Excluding elements using the CSS selector

If the logout process relies on JavaScript, Invicti may not recognize the logout buttons. This method has become more common with the rise of Single Page Applications (SPAs).

Since we can’t pinpoint a specific URL here, we can use the CSS selector to exclude the buttons or specific HTML elements and their content.

How to exclude HTML elements and their content with CSS selectors

You can exclude specific HTML elements and their exact content using:

  • element:contains("text")

NOTE:

  • Text matching is not case-sensitive.
  • Double quotes (") must be escaped with a backslash (\").

Example of a button:

<button class="my-button">Do not click</button>

  • Exclusion Pattern: button:contains("Do not click")

Example of an anchor:

<a href="/logout">Logout</a>

  • Exclusion Pattern: a:contains("Logout")

How to exclude buttons using the CSS selector

  1. Launch the Scan Policy Editor dialog.
  2. Click New or Clone (refer to Overview of Scan Policies)
  3. Click the JavaScript tab

  • In the Exclude by CSS Selector field, click the ellipsis ().  The Exclusion CSS Selector dialog is displayed.

  • Use a CSS selector to define which element(s) should be excluded from the scan. If you need to use multiple selectors at once, separate them with commas
  • Click Select. You are returned to the Scan Policy Editor dialog
  • Click OK

Top Articles

What is Invicti?

Overview of Scan Policies

Scheduling Scans

Managing Integrations

Built-In Reports