Burp Suite User Forum

Login to post

Authenticated vulnerability scans

Lanza, | Last updated: Aug 24, 2023 11:07AM UTC

Hi, my question regards authenticated vulnerability scans. Can you please confirm if, by navigating to the website through the proxy browser and doing the manual authentication, and then starting a scan on that website (without defining authentication credentials in the scan settings) is enough to ensure that Burp takes advantage of the already authenticated session to conduct the scan? Thank you, Fabio

Dominyque, PortSwigger Agent | Last updated: Aug 24, 2023 02:22PM UTC

Hi Fabio Thank you for your question. The authenticated scans will not work in this way. You would need to either set the Application login when setting up the scan. Here, you will either use login credentials or add a recorded login sequence. Please see our documentation for further clarification: https://portswigger.net/burp/documentation/scanner/authenticated-scanning

Lanza, | Last updated: Aug 25, 2023 10:57AM UTC

Hi Dominyque, thank your for the answer. I was able to setup the credential in the scan configuration. However, how can I know that the authentication was successful during the scan? Is there a way to check it? Thanks.

Dominyque, PortSwigger Agent | Last updated: Aug 25, 2023 12:14PM UTC

Hi Fabio You can test if a recorded sequence works by following these steps: 1) Go to the scan launcher and open the application login settings. Select "Use recorded login sequences". 2) Either upload a new recorded login sequence or load an existing one from your configuration library. 3) Select the login sequence that you want to test and click the "Replay" button. Burp's browser will open. 4) In the browser, you should see Burp automatically navigate to the target website and begin performing the login sequence that you recorded. This all happens fairly quickly. You should avoid any manual interaction with the browser while it is replaying the sequence, as this could interfere with the test. 5) When Burp finishes replaying the recording, it will pause on the final page for several seconds before closing the browser window. This should be long enough for you to see where the login sequence stopped. If everything works correctly, this will be the page that you normally see after successfully logging in. Otherwise, it may provide clues as to which stage of the process is causing problems. Additionally, the Event Log (with the debug filter enabled) will display any error messages- these would be problems the authenticated scan encounters. I hope this information is helpful!

Lanza, | Last updated: Aug 25, 2023 12:58PM UTC

For the option "Use login credentials", is there a log where it says that authentication was successful? Or only the failed attempts are displayed? Thanks.

Dominyque, PortSwigger Agent | Last updated: Aug 25, 2023 01:04PM UTC

Hi Fabio If login is unsuccessful, you will see this error message in the Event Log. You can also click into the scan and watch the Live crawling to see if the authentication has worked.

You need to Log in to post a reply. Or register here, for free.