Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Authenticated Scanning

Rajesh | Last updated: Nov 10, 2017 09:25AM UTC

Hi, I'm security engineer and want to do an authenticated scan on my organization websites. I already have a test account to perform the scan. We usually do scans and pen testing on the websites to find the vulnerabilities without any credentials. I want to perform the scan with credentials to make sure my websites are safe. Can anyone please help me on this? Thanks in advance. -- Rajesh

Liam, PortSwigger Agent | Last updated: Nov 10, 2017 09:28AM UTC

Burp's session handling rules can be used to ensure you remain logged in to your application during testing: - https://support.portswigger.net/customer/en/portal/articles/2363088-configuring-burp-s-session-handling-rules

Burp User | Last updated: Nov 10, 2017 11:13AM UTC

Thanks Liam, The websites that I want to scan don't have session handling mechanism. Still, the provided link is useful? -- Rajesh

PortSwigger Agent | Last updated: Nov 10, 2017 11:31AM UTC

Hi Rajesh, For platform authentication (e.g. HTTP basic, NTLM) put credentials in User options > Connections > Platform Authentication For a simple forms login you can put credentials in Spider > Options > Application Login. The Spider is fairly basic however, so this won't always work. In that case you will need to configure session handling rules, as Liam suggest. Please let us know if you need any further assistance.

Burp User | Last updated: Nov 14, 2017 09:17AM UTC

Thanks for the support. Now, I got a clear picture of the scan.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.