Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Ability to run scans against sites with Azure AD authentication

Sergei | Last updated: Sep 29, 2022 10:10AM UTC

Dear support team, our company has some internal sites with Azure AD authentication. Is there any ability to scan these sites? How can we provide credentials for Azure AD authentication during the Burp Suite scan?

Hannah, PortSwigger Agent | Last updated: Sep 29, 2022 12:10PM UTC

Hi Could you describe your login flow in some more detail, please? Have you had a look at our recorded login functionality? You can find our documentation for this feature here: https://portswigger.net/burp/documentation/desktop/scanning/recorded-logins

Sergei | Last updated: Sep 29, 2022 01:50PM UTC

Hello Hannah, We utilize AWS Application Load Balancer(ALB) with Azure AD oidc authentication (e.g.: https://towardsaws.com/aws-application-load-balancer-with-azure-ad-oidc-authentication-5547cdb1ddb5) AWS ALB uses Azure AD to authenticate users before they can access the target behind the ALB rule.

Hannah, PortSwigger Agent | Last updated: Sep 30, 2022 01:31PM UTC

Hi When you get redirected from your site for authentication, are you then required to sign in with your credentials, or does it include a further step, like having to enter an OTP or respond to a push notification on your phone?

pippo | Last updated: Nov 17, 2023 09:42AM UTC

Hi, I have a similar problem in providing credentials for Azure AD authentication during the Burp Suite scan. When I use proxy mod with "Intercept is On", I get the response from Azure AD authentication page, but I can't see the authentication form in my browser (I see a white page). Did you fix the original problem in any way?

Hannah, PortSwigger Agent | Last updated: Nov 17, 2023 10:15AM UTC

Hi If your page is not loading when intercept is enabled, it is likely that the request has been stalled by Burp. You may need to forward the request present in your "Proxy > Intercept" tab, or disable intercept when you don't need its functionality.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.