Skip to main content

Invicti Standard – Logout detection – Configuration

This document is for:
Invicti Standard

During a scan, Invicti follows all links and submits forms, which can sometimes result in session termination and logout during an authenticated scan. However, even after logging out, Invicti must continue scanning the entire website, including sections that are typically restricted to logged-in users.

note

Before starting a scan, you need to confirm form authentication by providing Invicti with details about the pages that require login.

This document provides instructions on how to configure both redirect-based and keyword-based logout detection.

If you encounter any issues during logout detection, refer to our Logout detection issues documentation.

How to configure a logout detection

  • In Invicti Standard, select New from the home tab
  • Select Form from the Authentication section
Logout detection options.
  • Select the Enabled checkbox
  • Enter the Login Form URL
  • In the Personas section, enter username and password
Select Form from Authentication section.
  • Select Verify login & logout to start the verification process
Enter login form details.
  • When the process is complete, the Login Simulation and Logout Detection sections are displayed side by side
Login Simulation and Logout Detection sections.

There are three options for logout detection. Continue with your preferred option:

A. Redirect-based logout detection

B. Keyword-based logout detection

C. None - no logout detection will be used - select None for the Detection type

For Authentication for unsupported forms, refer to the linked document to configure custom scripts for form authentication.

How to configure redirect-based logout detection

  • In the blue box, you have the option to amend the following:
    1. Login Required URL
    2. Detection type
    3. Redirect URL pattern
Redirect-based detection options.
  • Click the highlighted text in the blue box (1), and in the pop-up enable the Redirect Based checkbox (2)
Enable Redirect Based checkbox.
  • Verify the Login Required URL and the Redirect URL Pattern by clicking the links in the blue box
Verify Login Required URL and Redirect URL Pattern.
  • Click the highlighted text (1) and in the pop-up select Detect logout using this URL (2). This verifies the logout detection.
Detect logout using this URL.
  • Click OK to save the logout detection configuration

How to configure keyword-based logout detection

  • In the blue box, you have the option to amend the following:
    1. Login Required URL
    2. Detection type
    3. Keywords
Keyword-based detection options.
  • Click the highlighted text in the blue box (1), and in the pop-up enable the Keyword Based checkbox (2). Enter as many keywords as needed. Specify as many keywords as needed. Invicti must match all keywords in an HTTP response to confirm session termination. To use regular expressions, check the "Is Regex?" box next to the keyword pattern. These will then appear in the blue box.
Enable Keyword Based checkbox and enter keywords.
  • Click the highlighted text (1) and in the pop-up verify the Login Required URL (2), and click Detect logout using this URL (3).
Verify and detect logout using keywords.
  • Click OK to save the authentication configuration

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?