Login Page Identifier
The Login Page Identifier is a security check that detects all login pages.
Invicti crawls and attacks your website to discover all vulnerable points. To do that, it tries to find and follow all URLs in your website to populate the Sitemap. Thanks to this procedure, Invicti is also able to detect all login pages on your website. This feature is particularly useful if you find it difficult to keep track of a large number of websites.
This security check can be configured, by increasing or decreasing the weight of variables, such as password input and adding new keywords.
During the scan, Invicti analyses keywords that are specified in the Scan Policy for each page and calculates the weights that are attributed to different variables. If the total result exceeds the threshold value of 75, Invicti reports this webpage as a login page.
It is reported both in the Sitemap and Issues panel as an Information Alert.
The Login Page Identifier check is enabled by default.
For further information, see Scan Policy Fields, Security Checks, Configuring and Verifying Form Authentication in Invicti Enterprise, and Configuring Form Authentication in Invicti Standard.
Login Page Identifier Fields
This table describes the fields in the Login Page Identifier panel.
Field |
Description |
Weight of the Login Keyword in Form Element |
This is the weight for the expected HTML element. This weight is added to the total weight if attributes of the form include any login keyword listed below. The default weight is 30. |
Weight of the Login Keyword in Window Location |
This is the weight for the window location. This weight is added to the total weight, if the location’s pathname or fragment part contains a login keyword listed below. The default weight is 25. |
Login Form Weight Threshold |
This is the minimum weight to identify login forms. If the total weight is equal to or greater than the threshold value, Invicti reports a Login Page Identified issue. The default threshold value is 75. |
Login Keywords |
These are keywords to search for within forms and window locations. |
Weight of the Password Input |
This is the weight for the password input. This weight is added to total weight when a single password is found. The default weight is 30. |
Weight of the Remember Me Input |
This is the weight for the Remember Me checkbox input. This weight is added to total weight when a checkbox whose name, className, or id contains the ‘remember’ keyword. The default weight is 30. |
Weight of Submit Button |
This is the weight for the Submit button. This weight is added to total weight when Invicti finds a submit button in the form. The default weight is 15. |
Input Type Names for Username |
This is the keyword to use to detect username input. Any input with the given type is considered to be username input. |
Weight of Username Input |
This is the weight for the username input. This weight is added to the total weight when input is found matching the username criteria. The default weight is 15. |
Username Keywords |
This is the keyword to be searched for in the username input. |
A weight of 0 means that the element will be skipped during analysis.
How to Configure the Login Page Identifier Security Check in Invicti Enterprise
- Log in to Invicti Enterprise.
- From the main menu, go to Policies > New Scan Policy > Security Checks.
- Select the Login Page Identifier checkbox.
- If required, configure the settings as outlined in the table.
- Select Save.
How to Configure the Login Page Identifier Security Check in Invicti Standard
- Open Invicti Standard.
- From the Home tab, click Scan Policy Editor. The Scan Policy Editor dialog is displayed.
- From the Security Checks tab, select the Login Page Identifier checkbox.
- Configure the security check settings as required or use the default ones.
- Select OK.
- When this security check identifies the vulnerability, it will be displayed in the report like this.