Many web applications employ authentication mechanisms to enhance user security. Invicti supports these mechanisms using its Interactive Login feature. Once you check the Interactive Login checkbox during the authentication process, a browser window allows you to enter the necessary data.
These are some scenarios in which you can use the Interactive login feature:
- The website requires a CAPTCHA (to be solved during authentication or to access a particular area)
- The website requires you to enter a dynamic token value like a 2FA PIN during authentication
- You are unable to configure Invicti to complete the login form and want to manually perform authentication
You can also mix and match the Interactive login functionality with automatic login capability and custom scripting support. For example, you might have a website that requires you to enter a regular username and password on the first page, and a 2FA PIN on the second page. In such a case, you can configure the credentials and enable the Interactive login option. Invicti will first submit the regular login form details, and then will prompt you with the interactive login browser, allowing you to enter the 2FA PIN.
How to Configure CAPTCHA, One Time Tokens and Two Factor Authentication Mechanisms
- Open Invicti Standard.
- From the Home tab, click New. The Start a New Website or Web Service Scan dialog is displayed.
- Select the Form tab.
- In the Form Authentication section, enable the Enabled checkbox.
- In the Login Form URL field, enter the URL.
- In the Personas field:
- Enable the Active option
- Enter the Username and Password
- Enable the Interactive login (Check this for OTP, CAPTCHA, etc.) checkbox.
- Click Verify Login & Logout to confirm that the login settings are correct.
- After login, click Click here to continue to complete this step and begin detecting logout detection.
- After verification, click Start Scan.
- Once Invicti logs in, enter the 2FA and continue to scan.