Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Login to post

Burp authenticated scans

Anton | Last updated: Oct 21, 2020 04:29PM UTC

Hello, QA version of my web-site contains standard authentication form, so I need scanner to use credentials to perform vulnerability scan. I tried to provide credentials to the Burp Scanner, but it seems that it didn't even try to use them (requests didn't contain any credentials, and scan resulted in error). I was trying both methods - just simply added user and password to scan settings, and tried to use "Burp Suite Navigation Recorder". I didn't get any output from the recorder, because for some reason it always starting the record AFTER i put my credentials into the login form. Could you please advice me an approach to perform credentials scan ?

Ben, PortSwigger Agent | Last updated: Oct 22, 2020 11:11AM UTC

Hi Anton, if you use the standard Application login section of the Burp New Scan dialog to supply credentials for your scan then Burp will attempt to use these credentials on login forms that it finds during the crawl phase. With this approach the scanner can only handle simple username/password combinations and it needs to be able to recognize the login form in order to do this. It sounds like the scanner might not have been able to find the login form of your site so there is some further information below on how Burp determines what it thinks is a login form: https://portswigger.net/burp/documentation/desktop/scanning/crawl-options Can you provide some further information on your issue with the recorded login (it might be easier if you could send us an email to support@portswigger.net with some screenshots). Once you click the recorded login extension in Chrome it should ask if you want to start a new recording and then initiate a new incognito browser window. Once you have navigated to a site in this new browser window you should see it being framed in a red border to illustrate that the recording is underway. You can then navigate to the login page, enter your credentials and then stop the recording by clicking the extension in your new browser window and selecting to stop recording. Have you read the guide on the following page: https://portswigger.net/burp/documentation/desktop/scanning/recorded-logins Cheers Ben Wright Technical Product Specialist PortSwigger Web Security

You need to Log in to post a reply. Or register here, for free.