Session detection

Session detection is the final step in the configuration of the Login Sequence Recorder (LSR) which is used for complex form-based authentication.

To access the LSR, follow these steps:

1. Select Inventory > Targets from the left-side menu.
2. Click (⋮) > Edit target by the target where you want to use the LSR.
3. Click Authentication and select Login Sequence Recorder in the drop-down.
4. Create or upload a new login sequence. For an existing file, click the edit icon to open it.

For more information about recording a new sequence, refer to the Record a login sequence document.

A valid session pattern is vital for a successful scan, as with it the scanner is able to identify whether it is authenticated or not.

During a scan, the session detection request is sent continuously. When successful, the scanner will progress; if unsuccessful, the scanner will replay the recorded steps in the LSR, authenticate itself, and keep running the scan from where it left off. It is therefore vital that session detection is configured correctly.

This document explains how to confirm if the session detection is configured correctly and what to do if LSR fails to identify a session pattern.

Session detection

The session detection is made up of the following:

• Session validation request.
• Session validation pattern.

Session validation request

This is the HTTP request the Login Sequence Recorder will send, against which to check the pattern. For example:

Session validation pattern

This is the pattern to match the response of the above request. For example, if the above request only responds with an HTTP 200 OK status code when you’re logged in, we can set the validation pattern to: Session VALID IF status code is 200.

In most cases during the configuration of the LSR, a valid Session Pattern is automatically identified when advancing to the Session Detection step.

Detect session validity

Invicti will try to use the requests sent during the login stage to determine a valid session detection request. Sometimes, the requests sent to login are not enough to detect the session detection request automatically. In these cases the LSR will prompt you if a session pattern is not found.

Detect while navigating

Should a valid pattern not be found, select the option to Detect while navigating. With this option selected, navigate to pages/paths which are accessible only through an authenticated session, for example a user profile page. Keep navigating to similar pages until a valid session pattern is identified.

You can verify the session pattern by clicking Check Pattern at the top of the right-hand-side panel.

Invalid Session Patterns occur when the LSR cannot identify a difference between the responses received for a chosen session detection request. For example a request to http://testphp.vulnweb.com/index.php will always return a status code of 200 and contain the same response body, irrespective of whether it is authenticated or not. This would make this pattern invalid. For such cases, use the Detect while navigation option and navigate to a page only accessible when authenticated.

Pattern verification failed

A common cause for an unsuccessful session pattern is a Session ID or Session Token (or any other value which is not static) sent with the request. For example:

Session IDs or tokens normally expire after a period of time. Since the LSR is played back after a period of time during a scan, this session pattern would most likely have expired. In this case the application will respond with the same response, both when logged in and not. This will result in a status code of 404 Not Found as this URL no longer exists.

Submit a ticket to our Help Center should you require assistance establishing a pattern.