In order to run authenticated scans, you must first verify the configuration. This process confirms that Invicti is able to authenticate using the configuration information, and detect the difference between a logged in and logged out session.
You can verify the form authentication configuration either while configuring it or before starting a scan. Invicti prompt you to conduct the verification process if it is not already completed prior to starting a scan. Verifying the logout detection pattern is crucial because Invicti will try to detect this pattern during the scan and when this pattern is matched, it will try to re-authenticate automatically to the website before proceeding with any other crawling or attacking requests, ensuring the password protected section is completely scanned.
For further information, see Logout Problems.
How to Verify the Form Authentication Configuration by Simulating the Login and Detecting the Logout Pattern
- Open Invicti Standard.
- From the Home tab, click New. The Start a New Website or Web Service Scan dialog is displayed.
- Select the Form tab. The Form Authentication section is displayed.
- Enable the Enabled checkbox.
- In the Login Form URL field, enter the URL.
- In the Username field, enter the username.
- In the Password field, enter the password. Use the Show/Hide Password button () if required.
- Click Verify Login & Logout. The Verify Form Authentication dialog is displayed.
- Click OK.