Support
Scans

Interactive Logins in Invicti Standard

This document is for:
Invicti Standard

Many web applications employ authentication mechanisms to enhance user security. Invicti supports these mechanisms using its Interactive Login feature. Once you check the Interactive Login checkbox during the authentication process, a browser window allows you to enter the necessary data.

These are some scenarios in which you can use the Interactive login feature:

  • The website requires a CAPTCHA (to be solved during authentication or to access a particular area)
  • The website requires you to enter a dynamic token value like a 2FA PIN during authentication
  • You are unable to configure Invicti to complete the login form and want to manually perform authentication

You can also mix and match the Interactive login functionality with automatic login capability and custom scripting support. For example, you might have a website that requires you to enter a regular username and password on the first page, and a 2FA PIN on the second page.

In such a case, you can configure the credentials and enable the Interactive login option. Invicti will first submit the regular login form details, and then will prompt you with the interactive login browser, allowing you to enter the 2FA PIN.

How to Configure CAPTCHA, One-Time Tokens, and Two-factor Authentication Mechanisms

  1. Open Invicti Standard.
  2. From the Home tab, select New.
  3. From the Start a New Website or Web Service Scan dialog, select Form.
  4. In the Form Authentication section, select Enabled.
  1. In the Login Form URL field, enter the URL.
  2. In the Personas field:
    • Enable the Active option
    • Enter the Username and Password
  3. Select Interactive login (Check this for CAPTCHA).
  1. Select Verify Login & Logout to confirm that the login settings are correct.
  2. After login, click Click here to continue to complete this step and begin detecting logout detection.
  1. After verification, select Start Scan.
  2. Once Invicti logs in, enter the 2FA and continue to scan.