Burp Suite User Forum

Login to post

authent scan and un-authent scan in one project file

afs | Last updated: Oct 03, 2019 02:55AM UTC

we need to scan www.zzz.com(unauthen scan) and www.zzz.com/abc(authent scan), i'm given credentials under www.zzz.com/abc in user options/platform authen, I configure user credentials basic authen for www.zzz.com(host), but after scan, in dashboard, it shows unauthen scan, so how to do authent scan for /abc and unauthen scan for www.zzz.com in one project file? thanks

Liam, PortSwigger Agent | Last updated: Oct 03, 2019 10:10AM UTC

Can I just confirm that you want to authenticate by using login credentials on the web application itself? If this is the case you would need to create two separate scans under the same project file. The authenticated scan would be configured with the supplied credentials added under the Application Login section within the New scan wizard. These credentials are then submitted to any login functions present so that authenticated content is discovered. For the second unauthenticated scan you would leave the Application login details empty so that the credentials are not used to login and the scan is carried out in an unauthenticated manner. The following link provides some more details about the Application login functionality: https://portswigger.net/burp/documentation/desktop/scanning/scan-launcher#application-login-options

You need to Log in to post a reply. Or register here, for free.