Burp Suite User Forum

Create new post

Account lock out

Nishma | Last updated: Sep 12, 2016 04:01PM UTC

when i initiate automatic scan in burp, the application account/login page gets locked out.please let me know the solution.

Burp User | Last updated: Sep 12, 2016 04:08PM UTC

when i initiate a automatic scan in burp,application session gets timed out, but in burpsuite scan runs in background. please let me know if i can consider this a valid result, or do i need to ask the developer to extend session time out.

PortSwigger Agent | Last updated: Sep 13, 2016 07:58AM UTC

If you perform a scan of the login request, it is fairly common for this to trigger account lockout in the account identified in the username parameter. You might need to resort to manually testing the login function to avoid this happening, or throttle the scan requests so severely that the account is unlocked again before the next request (run the scan overnight). If you perform a scan of an authenticated function, and your session becomes invalid, this is normally due to the application actively terminating sessions in response to your actions, rather than a session timeout issue, since Burp is making requests continuously. You should avoid scanning application functions that explicitly cause loss of session (e.g. the logout function), and if necessary you should configure some session handling rules to monitor the status of your session and recover it when it becomes invalid. See the session handling documentation for more details: https://portswigger.net/burp/help/options_sessions.html

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.