Overview of the Standalone LSR with internal agents
The Invicti standalone Login Sequence Recorder (LSR) allows you to record login sequences and business logic flows (BLR) for use with internal agents. This is especially useful when scanning internal targets that require authentication or involve multi-step user interactions.
Why use the standalone LSR?
You must use the standalone LSR (rather than the one built into the Invicti UI) when scanning internal targets with internal agents, particularly if those targets:
- Are password-protected
- Contain login mechanisms
- Require complex user input workflows
What is an LSR?
A Login Sequence Recorder (LSR) captures and replays login actions so the scanner can access restricted areas of a web application.
During crawling and scanning, an LSR allows the scanner to:
- Access form-based, password-protected areas
- Replay login steps to authenticate
- Restrict session-invalidating actions (e.g., logout links)
LSR restrictions should only be used to prevent session invalidation. To exclude specific paths from scanning, use the target’s path restriction settings. For more information, refer to the crawling options section of configuring targets. |
What is a BLR?
A Business Logic Recorder (BLR) captures custom input sequences beyond basic log in to help the scanner interact with complex application flows.
A BLR allows you to:
- Define multiple input paths for multi-step forms or application workflows
- Create sequences that meet specific conditions to access otherwise unreachable areas of the app
Recording an LSR or BLR for an internal target
When scanning internal targets with login or business logic workflows, use the Invicti standalone LSR. Internal agents do not support the in-UI LSR/BLR functionality.
To use the LSR, start by installing it:
Already installed? Start by recording a login sequence.