Logout Problems
Form Authentication settings enable you to scan the pages on your website that require user authentication. When Form Authentication is configured, Invicti tries to log in to the website before beginning the crawling and attacking phase. Then, if Invicti detects the session has ended, it will attempt to log in again during the scan.
- If you notice this happening repeatedly, it means that you have incorrectly configured the Form Authentication.
- If you do not fix the configuration, the scan duration can increase significantly and be prevented from progressing properly.
In this article, we will talk about what causes this and how you can configure this correctly.
If you need to modify Invicti’s automatic authentication, please see Custom Scripts for Form Authentication.
Activity Panel in Invicti Standard
In Invicti Standard, you can view the login phase in the Activity Panel.
When the login process is successful, you will see a log similar to the following.
- If you notice that the Logs are listing too many logged in events during a scan, something is wrong, indicating that the scanner cannot retain a logged in session.
- What is happening is that:
- Invicti somehow logs out
- Invicti is trying to re-login continuously, assuming that the session has ended
This topic explains how to analyze and solve these types of session problems.
Causes of Logout During Scanning
This section lists and explains the reasons why logout may happen during scanning. They include:
- Logout Buttons on the Website
- Pages That May Cause Logouts
- Change Password Pages
Logout Buttons on The Website
Invicti simulates the activities of the end user during a scan, navigating the pages on the site, filling out forms, and clicking on buttons. This includes logout buttons for terminating the session on the site.
In the Scope section of the New Scan screen, you can define the URLs you want to exclude. Invicti has a set of pre-settings in the Exclude URLs with RegEx section to exclude words that may be related to logout.
Or, you can select the Exclude Authentication Pages so that Invicti excludes authentication-related web pages – such as login and logout – from the scan scope to prevent logging out during the scan
The default RegEx covers various logout and sign-out expressions; still, it doesn’t cover pages such as disconnect.php. Therefore, Invicti will visit those URLs and log out unless you exclude them manually.
For further information, see How to Configure the Scan Scope in Invicti Standard.
Excluding Buttons Using the CSS Selector
If the logout process involves JavaScript, Invicti may not detect the logout buttons. This logout method has increased lately due to the popularity of Single Page Applications (SPA).
Since there isn’t a specific URL we can pinpoint here, we can use the CSS selector to exclude the buttons.
How to Exclude Buttons Using the CSS Selector in Invicti Enterprise
- From the main menu, click Scan Policies, then the policy you want to edit.
- Click the JavaScript tab.
- In the Exclude by CSS Selector field, use a CSS selector to define which element(s) should be excluded from the scan. All matched elements will be excluded with their children. To test this, please try your selector in Chrome using
document.querySelectorAll
JavaScript function. Please note that if the selector is not very specific, i.e. many items match the selector at any time, it will negatively affect scan performance.
How to Exclude Buttons Using the CSS Selector in Invicti Standard
- Launch the Scan Policy Editor dialog.
- Click New or Clone. (See Overview of Scan Policies)
- Click the JavaScript tab.
- In the Exclude by CSS Selector field, click the ellipsis (). The Exclusion CSS Selector dialog is displayed.
- Use a CSS selector to define which element(s) should be excluded from the scan. If you need to use multiple selectors at once, separate them with commas.
- Click Select. You are returned to the Scan Policy Editor dialog.
- Click OK.
Pages That May Cause Logouts
When Form Authentication is configured, Invicti will also attack it if the URL in which the login process takes place is in the Scope of the scan. Some websites end all existing sessions when the login page is called. If your site does this, you should exclude the login URL from the Scan Scope, to ensure Invicti does not visit the login page during the scan. However, in order to make sure that you do not miss anything on the login page, you can run a scan without setting Form Authentication.
For further information, see Form Authentication in Invicti Enterprise and Form Authentication in Invicti Standard.
Change Password Pages
Invicti simulates user behavior, so if your site has password forms, Invicti will try to fill in these forms with defined values and send them. Invicti will also attack these entry points.
It is usual behavior for the password change pages to ask for the current password as a matter of security. But if your site does not have such a structure, Invicti may change the password of the current user. The result of this is that Invicti is unable to log in again. If your site has such pages, it is useful to exclude relevant URLs before initiating the scan.
How Does Logout Detection Work?
Invicti uses two methods to determine whether a logout has occurred:
- Redirect-Based Logout Detection
- Keyword-Based Logout Detection
A third option involves shutting down the Logout detection mechanism.
For further information, see Logout Detection.
Redirect Based Logout Detection
In order to detect the logout mechanism, Invicti makes a request to the login page without a logged-in session. If the page redirects Invicti to a different page, Invicti deduces that every time it encounters that redirected page, it has been logged out from the current session.
Sometimes, we need to interfere with Redirect URL Pattern. For example, if we send a request to dashboard.php without a session, we will be redirected to this URL:
/login.php?return_url=%2fdashboard.php
The purpose of the site is to redirect the user to the page in the return_url
parameter after logging in.
Let’s say that Invicti detects this parameter for the login URL mentioned above. Then, the session somehow ended when it visited the contact.php page. In this instance, the site would redirect to this URL:
/login.php?return_url=%2fcontact.php
But this doesn’t match the Redirect URL Pattern Invicti caught before. This time Invicti will not realize that the logout took place, and the scan will end earlier than it should. To solve this problem, we need to update the Redirect URL Pattern using the wildcard character.
/login.php?return_url=*
This means that, whatever value the return_url
parameter is, Invicti will successfully detect the logout.
Keyword-Based Logout Detection
Keyword-Based Logout Detection is a mechanism that determines whether a logout has occurred when it detects certain keywords in an HTTP response. These keywords are not on the page that can be accessed with a valid session, but on the page that is logged out.
Invicti will make suggestions to you automatically based on the patterns on the page, but you can also configure them manually.
You can also use regular expressions in the keywords. If you do, you must enable the Is Regex? option next to the keyword pattern.
We have to make sure that the keywords that we defined are only found on the logout page. Because if these words appear in any URL during scanning, Invicti will attempt to log in again, assuming that a logout has already happened. Instead of using generic keywords, you will get better results by using RegEx expressions.
For example, instead of specifying the username as a keyword, if we specify a RegEx expression instead, this provides a stricter match:
<input .*username.*>
The reason is that username is a generic keyword, so it can be on any other page. This causes Invicti to log in again, even if there is no logout.
If your keyword patterns match the .js and .css files, and you experience a logout problem, you can exclude the URLs that contain these files. When you exclude .js and .css files, Invicti will continue to request these files to make the site fully functional, but it will not detect the logout.
We recommend that you use the Redirect Based Logout Detection method if your site has a Redirect Based structure because it is difficult to make sure that the keywords you may use are not already on the pages that are logged in.
If none of these logout detection methods fit the structure on your website or cause problems, you can disable logout detection by selecting None. Also, make sure that the pages that could cause logout are excluded because, otherwise, Invicti will continue operating even if the session ends.
Logout problems interfere with efficient security scanning. They can extend scan time and make scan results less accurate. If you are experiencing logout problems, the solutions provided here should help to ensure Invicti retains the logged-in session prior to crawling and scanning. This will reduce your scan time and ensure that the website is scanned properly. But if you are still experiencing logout problems, we recommend submitting a ticket through our Help Center.