Logout Detection
During a scan, Invicti clicks all links and submits all forms. Sometimes, this means the session may be terminated (and therefore logged out) during an authenticated scan. However, after logging out, Invicti must continue to scan the entire website, including the areas usually only available to users after logging in.
Before starting a scan, you must verify form authentication by providing Invicti with information on which pages require logins.
In order to teach Invicti how to identify these pages, the Logout Detection feature is employed during authentication verification.
There are two types of logout detection patterns that Invicti automatically identifies:
- Redirect-based logout detection
- Keyword-based logout detection
Invicti can use either of these to determine the status of a session. However, in some cases, you may wish to configure them manually.
For further information, see Logout Problems.
Configuring Redirect-Based Logout Detection
Many websites redirect users back to the login form page when a restricted page is requested anonymously without a valid session. If your website does this, you must specify the URL to which users are redirected when they try to access a password-protected page without a valid session, and Invicti will detect a Redirect-based logout.
- To do this, Invicti makes an anonymous request to a login required URL and identifies a Redirect-based logout if an HTTP 30x redirect response is detected. Invicti simply uses the last URL that the form authentication simulation requested as the login required URL. (For example, the form authentication simulation may use a URL such as http://mysite.com/Dashboard/.)
- You can also use wildcards in the URL. For example, if your web application adds a random ID in the URL when accessing the login page, you can use the following URL with a wildcard:
https://www.example.com/login.aspx?path=*
How to Configure Redirect-Based Logout Detection in Invicti Enterprise
- Log in to Invicti Enterprise.
- From the main menu, go to Scans > New Scan > Form Authentication.
- Enable the Form Authentication checkbox.
- In the Login Form URL field, enter the URL:
- Select New Persona.
- Complete the Username and Password fields.
- Select Verify Login & Logout. The verification operation will start.
- When the process is complete, the Login Simulation/Login Detection sections will be displayed side by side and populated.
How to Configure Redirect-Based Logout Detection in Invicti Standard
- Open Invicti Standard.
- From the Home tab, select New. The Start a New Website or Web Service Scan dialog is displayed.
- From the Authentication section, select Form.
- Select the Enabled checkbox. The Form Authentication fields are enabled.
- In the Login Form URL field, enter the URL.
- In the Personas section, under Username, enter your username.
- In the Personas section, under Password, enter your password.
- Select Verify Login & Logout. The Verify Form Authentication process will start.
- When the process is complete, the Login Simulation/Logout Detection sections will be displayed side by side and populated.
- If required, click on the URL in the help blue help text box.
The Login Required URL field is displayed. Re-enter the URL, and select Detect logout using this URL. In most cases, you do not need to change the Login Required URL as Invicti successfully guesses it. But, in case it is wrong, you have the option to change it and redo the logout detection.
- In the blue help text box, click the Redirect Based link. The configuration is displayed.
- In the Verify Form Authentication, select OK.
Configuring Keyword-Based Logout Detection
Some websites do not issue a redirect when an anonymous request to a login required URL is sent, or when the identified login required URL displays a page that is very similar to the authenticated page. In such cases, Invicti will detect and use a Keyword-based logout. This type of logout detection identifies a logged out session by searching for specific keywords in the HTTP responses. Therefore, if all of the specified keywords are found in a response, Invicti determines that the session is currently logged out, or has been invalidated.
When using this method, the scanner will look for specific keywords in the HTTP responses. You can specify as many keywords as you want in this list. Invicti has to match them ALL in an HTTP response to confirm that a session has been terminated. You can also use regular expressions in the keywords. If you do, check the Is Regex? checkbox next to the keyword pattern.
How to Configure Keyword-Based Logout Detection in Invicti Enterprise
- Log in to Invicti Enterprise.
- Follow steps 2 to 9 in How to Configure Redirect-Based Logout Detection in Invicti Enterprise.
- Select New Keyword to specify as many keywords as required.
- Select OK if complete, or Reverify logout settings to configure again.
How to Configure Keyword-Based Logout Detection in Invicti Standard
- Open Invicti Standard.
- Follow steps 2 to 10 in How to Configure Redirect-Based Logout Detection in Invicti Standard.
- In the blue help text box, select the Redirect Based link. The configuration is displayed.
- Enable RegEx for those keywords required.
- In the Verify Form Authentication dialog, select OK.
Configuring Authentication for Non-Supported Login Forms
If you want to configure authentication for non-supported login forms, you can write and employ custom scripts to Invicti Enterprise.
For further information, see Custom Scripts for Form Authentication in Invicti Standard.