In order to effectively scan an application behind its login pages, the scanner must know how to log in, but also know when it is no longer in session, in order to reauthenticate. While some sites may behave in a way that is obvious that the site is logged out, many aren't so easy to know for a non-human.
Snyk API & Web has an intelligent mechanism that looks for the login selectors post-login to determine if it is logged out. However, for cases where the site might just put text on the screen, or a button to log back in, or some other case where auto-detection is not suitable, the logout detection can be configured to indicate that Snyk API & Web is logged out and no longer has a valid session with the application.
This article describes how you can configure logout detection in your Web and API targets. The configuration involves the following steps:
Access your target settings.
Configure the logout detectors.
Step 1: Access your target settings
Log in to your Snyk API & Web account and access the Targets list. From this page, locate the target you want to configure and click on the cogwheel icon that appears next to it to access its settings. You will be redirected to the Target Settings > Authentication page.
Step 2: Configure the logout detectors
Scroll down in the Target Settings > Authentication page until you see the Logout detection module. Here, the configuration will depend based on the type of target:
Web targets
For Web targets, you should define a URL that is only accessible when you are logged in the application, and one or multiple detectors that are only accessible when you are logged out. These detectors can be text, CSS selectors or URL redirects:
After filling out the form with multiple detectors, you can define that the target is logged out when any of the selectors are found, or when all of them are.
OpenAPI targets
For OpenAPI targets, you should define a URL that is only accessible when you are logged in the API, a GET/POST/PATCH/PUT method, Authentication Media Type and Payload (if the method is not GET), and one or multiple detectors that are only accessible when you are logged out. These detectors can be a status code, text, or a header:
After filling out the form with multiple detectors, you can define that the target is logged out when any of the selectors are found, or when all of them are.
Postman targets
For Postman targets, you only need to select the Folder from the schema file that contains the logout information:
Make sure to include a test script on the required endpoint(s); for example, it could be something like this:
pm.test("Status code is 200", function () {
pm.response.to.have.status(200);
});
Regardless of the type of target, once you save the Logout detection, Snyk API & Web will take this configuration into account when scanning your target.