Burp Suite User Forum

Create new post

ASP.NET forms authentication login redirect

Scott | Last updated: Aug 02, 2015 03:58PM UTC

Can Burp Suite support a login redirect where the login page is not within the scope? I have a /Employee and a /Customer area within my ASP.NET MVC application. For ease of development, the login URL in Web.config is /Customer/Account/Login. For our scanning requirements I would like to be able to use Carbonator and point it to /Employee/Home which is a landing page with links out to all the other parts of the /Employee area. Burp starts up, tries to hit the /Employee/Home page, sees the redirect to /Customer/Account/LogIn and stops there. Presumably this is because the /Customer area is not within the scope. Even when I have added it to the scope, it seems to ignore the fact that it was redirected there to serve the /Employee/Home request, and instead just begins attacking the /Customer/Account/Login url. Am I missing anything? I have configured the login username and password in scanner options to the correct information. Thanks

PortSwigger Agent | Last updated: Aug 10, 2015 10:48AM UTC

Since Carbonator performs a simple crawl+scan against everything in your target scope, you will need to include in that scope the separate login URL, as you have now done. It sounds like the problem is that Carbonator is not actually logging in to the application via the login URL. You mention that you have configured some credentials in the Scanner options. The most robust way to handle logins is to use Burp's session handling rules. You can create a rule that (a) checks whether your session is valid, and if not (b) runs a macro to recover your session. If you get this configured correctly, then Burp should automatically log in at the start of the scan, and recover your session if it is lost during the scan. Details of using session handling rules are here: https://portswigger.net/burp/help/options_sessions.html

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.