Burp Suite User Forum

Create new post

Authenticated Active Scan using Session

Richard | Last updated: May 15, 2024 05:36PM UTC

Hi, I have a question about the BurpSuite Pro active scanner. When in the repeater tab, I have the option to right click on a request and select "Active Scan", which subsequently kicks off an active scan in the dashboard panel. My question is: Will this active scan yield the same results as if I had started an active scan directly from the dashboards page using predefined login credentials / scripts? In other words, will the active scan from I launch from repeater run in the same session as I'm testing in and therefore have access to authenticated endpoints? Thanks!

Ben, PortSwigger Agent | Last updated: May 16, 2024 08:22AM UTC

Hi Richard, When you perform an active scan within Burp you are taking the base request and then simply applying auditing payloads to it. Burp does not know where it is in the site or how it has reached that particular location. Any session/cookie information that are included in the request will be reused when the auditing requests are applied (this may be an issue if the sessions are no longer valid etc). When you mention running an active scan from the Dashboard, are you actually referring to using the New scan -> Webapp scan -> Crawl and audit functionality or something different? If so, this is a different mode of operation but please confirm and we can provide you the differences involved in comparison to the active scan.

Richard | Last updated: May 16, 2024 04:18PM UTC

Hi, to clarify what I meant was exactly that, Dashboard -> Web app Scan -> crawl and audit. Thanks for clarifying the above much appreciated.

Ben, PortSwigger Agent | Last updated: May 17, 2024 08:39AM UTC

Hi Richard, With a full crawl and audit scan, Burp will first crawl the target site and identify locations in the same manner as a human user (by clicking links, submitting forms etc) before then auditing the discovered locations for vulnerabilities. In this mode, Burp Scanner is actively mapping out the target site itself rather than using pre-existing requests that have been generated from other tools within Burp. In this mode, Burp is aware of how it reached a location within a site and will rewalk paths in order to map out the structure of the site and to retain state (Burp will utilise supplied credentials or a recorded login to log back in to the target site in order to make sure it still has a session). A full crawl and audit is a more versatile way of scanning a site whereas an active scan tends to be useful for quickly identifying vulnerabilities on a small subset of locations. There is more information about how both the crawling and auditing side of things work in Burp Scanner on the pages below: https://portswigger.net/burp/documentation/scanner/crawling https://portswigger.net/burp/documentation/scanner/auditing Please let us know if you require any further information about this.

Richard | Last updated: May 17, 2024 01:15PM UTC

Thanks that makes sense, I'm currently working on finding some work arounds to get MFA working with my authentication scripts, currently I have a web app running on my local machine which generates TOTP tokens. When recording my script, I am able to navigate to my web page, copy the token and place it into the MFA form field on the target site. I don't think this is a reliable way of authenticating using 2FA however, since the script will just use the value I copied during the recording sequence and not the currently valid token? I am aware that other scanners such as OWASP ZAP have the ability to assign elements from web pages to variables which can later be used in an authentication flow, but unfortunately ZAP doesn't have the same versatility as BurpSuite. Are there plans to add support for this in the future out of interested?

Syed, PortSwigger Agent | Last updated: May 20, 2024 07:49AM UTC

Hi Richard,

Thank you for explaining your usecase. As you must be aware, Burp does not support web apps with MFA enabled and as of now there is no active work going on supporting MFA. We released a spring update for some of the features that we are working on or will work in the future, which be found here: https://portswigger.net/blog/burp-suite-enterprise-edition-spring-update-2024

One of the features is MFA support for Burp Suite Enterprise Edition. I understand that you are using the Pro version, however, I wanted to share this to let you know that there is MFA work planned for BSEE that may also help with Burp Pro but it's not something we will be releasing anytime soon.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.