Session Detection is the final step in the configuration of the Login Sequence Recorder (LSR). A valid Session Pattern is vital for a successful scan, as with it the scanner is able to identify whether it is authenticated or not.
During a scan, the session detection request is sent continuously. When successful, the scanner will progress; if unsuccessful, the scanner will replay the recorded steps in the LSR, authenticate itself, and keep running the scan from where it left off. It is therefore vital that session detection is configured correctly.
The session pattern is made of the following:
- Session Validation Request: This is the HTTP request the Login Sequence Recorder will send, against which to check the pattern. For example:
GET http://testphp.vulnweb.com/userinfo.php HTTP/1.1
- Session Validation Pattern: This is the pattern to match the response of the above request. For example, if the above request only responds with an HTTP 200 OK status code when you’re logged in, we can set the validation pattern to:
VALID IF - status code is 200
In most cases during the configuration of the LSR, a valid Session Pattern is automatically identified when advancing to the Session Detection step:
What shall I do if the LSR failed to identify a session pattern?
Acunetix will try to use the requests sent during the login stage to determine a valid session detection request. Sometimes, the requests sent to login are not enough to detect the session detection request automatically. In these cases the LSR will prompt you if a session pattern is not found.
Should a valid pattern not be found, select the option to
Detect while navigating. With this option selected, navigate to pages/paths which are accessible only through an authenticated session, for example a user profile page. Keep navigating to similar pages until a valid session pattern is identified.
You can verify the session pattern by clicking
Check Pattern at the top of the right-hand-side panel.
Invalid Session Patterns occur when the LSR cannot identify a difference between the responses received for a chosen session detection request. For example a request to http://testphp.vulnweb.com/index.php will always return a status code of 200 and contain the same response body, irrespective of whether it is authenticated or not. This would make this pattern invalid.
A common cause for an unsuccessful session pattern is a Session ID or Session Token (or any other value which is not static) sent with the request. For example:
GET http://testphp.vulnweb.com/userinfo.php?SESSSIONID=ABAD1D HTTP1/1
Session IDs or tokens normally expire after a period of time. Since the LSR is played back after a period of time during a scan, this session pattern would most likely have expired. In this case the application will respond with the same response, both when logged in and not. This will result in a status code of 404 Not Found as this URL no longer exists.
To confirm whether the Session Pattern used is valid, you can save the LSR file and open it in the Acunetix Login Sequence Editor (This can be found in the Start Menu)
Playback the Actions required to Login and navigate to the Session Detection pane. You can verify the session pattern again by clicking “Check Pattern” at the top of the right-hand-side panel. If there were any token/session based issues, a new token/session would be generated when playing back the login actions and the pattern checking would fail.
Contact our support team at firstname.lastname@example.org should you require assistance establishing a pattern
*** This is a Security Bloggers Network syndicated blog from Web Security Blog – Acunetix authored by Bernhard Abele. Read the original post at: http://feedproxy.google.com/~r/acunetixwebapplicationsecurityblog/~3/qznWB5jHJ6k/