Burp Suite User Forum

Login to post

Burp 2: Application Login - 2nd authentication step

Andrej | Last updated: Sep 03, 2018 07:30AM UTC

The New Login Credentials accept username and password. Would it be possible to introduce an optional 2nd authentication step, like PIN (with static value)? For example, user needs to fill in username+password, followed by PIN on 2nd page for authentication to be complete.

PortSwigger Agent | Last updated: Sep 03, 2018 07:43AM UTC

Thanks for letting us know about this. To support this and other non-standard authentication flows, we're going to investigate providing a "record login" function. In the meantime, unfortunately the new crawler is not able to cover this site.

Burp User | Last updated: Sep 04, 2018 01:02PM UTC

That would be perfect! thanks:)

Rose, PortSwigger Agent | Last updated: Sep 04, 2018 01:04PM UTC

This is still in our backlog. Unfortunately, we can't provide an ETA.

Burp User | Last updated: May 13, 2019 02:57PM UTC

Any ETA for this feature ?

Burp User | Last updated: Jul 02, 2019 11:34AM UTC

Hi support team, as Burp 2 is now out of beta, do you have any update on this "record login" feature? Currently I am not able to crawl websites with complex authentication mechanisms (including more than one step) and I guess this feature would solve my issue.

Rose, PortSwigger Agent | Last updated: Jul 02, 2019 12:04PM UTC

Volodia, unfortunately we still don't have an ETA on this.

Burp User | Last updated: Oct 03, 2019 11:22AM UTC

Hello, is this feature being looked at for Professional and/or Enterprise edition?

Mike, PortSwigger Agent | Last updated: Oct 04, 2019 09:13AM UTC

Hi Stijn, yes this feature is being evaluated for both versions of Burp Suite.

Burp User | Last updated: Oct 04, 2019 07:15PM UTC

Any update on this feature?

Mike, PortSwigger Agent | Last updated: Oct 07, 2019 09:58AM UTC

No updates on this to share at the moment, we will notify this thread when it gets released.

Ivan | Last updated: May 19, 2020 04:21AM UTC

Hi, any news on this features?

Liam, PortSwigger Agent | Last updated: May 19, 2020 11:54AM UTC

We hope to have something to release during this quarter.

Scott | Last updated: Jul 15, 2020 04:46PM UTC

Hi, Any news on this feature?

Ben, PortSwigger Agent | Last updated: Jul 16, 2020 08:06AM UTC

H Scott, Our development team is currently working on the "record login" feature which will be available for automated scanning in both Burp Professional and Burp Enterprise. We will update this thread when we have further details. You can see our updated 2020 development roadmap on the following page: https://portswigger.net/blog/burp-suite-roadmap-update-july-2020

Laker | Last updated: Aug 20, 2020 04:05PM UTC

Hi, Before the recorded login is available, I'm trying to understand how the current user/app login works. Is it only work for popup HTTP authentication? In many cases, the login field is part of the starting page or you need to click a button to go to login page. How does the scanner know where to enter the username and password?

Ben, PortSwigger Agent | Last updated: Aug 21, 2020 10:14AM UTC

Hi, The Burp Crawler will try and identify any login functions during its initial non-authenticated crawl of a site, based on the input fields of the form. Once the non-authenticated crawl phase is complete, If any login forms were found Burp will attempt to authenticate using any supplied credentials. The limitation at the moment is that the Burp Scanner does not natively handle multi-step/multi-page or more complex login functions, which is why we are currently developing the record login functionality to improve the coverage for our users.

Laker | Last updated: Aug 21, 2020 12:28PM UTC

Thanks Ben for the response. Is there any log showing whether the login was successful and which credential was used? In my examples, I sometimes provided several credentials, hoping all of them could be used. I'm wondering whether the scanner just picked the first credential.

Ben, PortSwigger Agent | Last updated: Aug 21, 2020 12:49PM UTC

If you click the View details link next to your scan in the Dashboard tab then you should open up a new dialog that details the scan. The Event log tab in this dialog should provide some information about whether login forms have been found and whether authentication has been successfully carried out (make sure that all of the filters have been enabled).

Lukasz | Last updated: Nov 18, 2020 10:06AM UTC

Hi, Is there any update regarding when Recorded login sequences feature will be available? This is critical feature that prevents us from using the Burp Suit Enterprise, so I would appreciate any kind of update.

Ben, PortSwigger Agent | Last updated: Nov 18, 2020 11:19AM UTC

Hi Lukasz, The recorded login functionality was introduced in the latest Burp Enterprise release - version 2020.11.

You need to Log in to post a reply. Or register here, for free.