Burp Suite User Forum

Login to post

authent scan with client ssl

afs | Last updated: Oct 02, 2019 01:43AM UTC

I need to do authent scan for a website, I configure credential in user options, is it enough? do I need to configure session handling rules? do I need to configure browser to use burp root certificate? do I need to configure scan configuration to use credentials? do I need to configure client ssl in user option?

Liam, PortSwigger Agent | Last updated: Oct 02, 2019 01:18PM UTC

The configuration of a credentialed scan is largely down to the individual web application and how it behaves. The information below should help you decide what functionality is required to carry out your testing tasks. You can provide platform level authentication (e.g. NTLM) under User options -> Connections -> Platform Authentication. Burp 2 is now configured to automatically work with any session handling mechanism that browsers are able to deal with. There is no longer any need to configure session handling rules telling Burp how to obtain a session or verify that the current session is valid You should always install Burp's CA Certificate in order to make testing HTTPS applications more efficient. The details to carry out the installation are in the following link: https://support.portswigger.net/customer/en/portal/articles/1783075-installing-burp-s-ca-certificate-in-your-browser Credentials configured in the Application login section of the Scan Launcher will be submitted to any login functions discovered. The Client SSL option allows you to authenticate using a specific SSL certificate that will be presented to a destination host when requested. This would only be required if the destination host has been configured to authenticate using SSL certificates so it is not always needed to be used. You can find more information about how Burp works with SSL in the following link: https://portswigger.net/burp/documentation/desktop/options/ssl

You need to Log in to post a reply. Or register here, for free.