Burp Suite User Forum

Login to post

Burp Enterprise - Scan Multi Step Login to Application

Venkata | Last updated: Oct 20, 2018 12:59AM UTC

There is a challenge in scanning the typical application with multi step authentication. The actual site store-hashvalue.site.com however, to login to the site one has to authentication on login.site.com and then gets redirected to store-hashvalue.site.com. I’m not sure how to setup a scan on this scenario. Could you please helpmeet further on this?

Liam, PortSwigger Agent | Last updated: Oct 22, 2018 09:48AM UTC

Venkata, which version of Burp are you using?

Burp User | Last updated: Nov 13, 2018 09:47PM UTC

Would like to know as well if this is possible (I have the Burp Enterprise version) On a similar note, is there a provision for SSO authentication (and exclude SSO site from being scanned)

Liam, PortSwigger Agent | Last updated: Nov 14, 2018 11:07AM UTC

We're working on providing a feature to support non-standard authentication in Burp 2. Burp Enterprise uses the same Crawling and Scanning engine. Unfortunately, we can't provide an ETA.

Liam, PortSwigger Agent | Last updated: Nov 28, 2018 02:32PM UTC

Unfortunately, we have no updates for this feature atm.

Burp User | Last updated: Feb 05, 2019 01:07AM UTC

Very curious for an update on this. running 2.0.15 and hoping you get this implemented soon.

Burp User | Last updated: Mar 13, 2019 07:39AM UTC

Hi Team, Any update on the SSO function that we can use ?

Liam, PortSwigger Agent | Last updated: Mar 14, 2019 11:35AM UTC

Chacko, we don't have any updates currently.

Burp User | Last updated: Jun 21, 2019 11:01PM UTC

We're seeking a SAML-based authentication solution as well. Thank you.

Liam, PortSwigger Agent | Last updated: Jun 24, 2019 01:24PM UTC

Thanks for your request Scott. We'll update this thread when we release the feature.

Burp User | Last updated: Oct 03, 2019 12:50PM UTC

Hi, we need SAML-based authentication as well (Enterprise). Any update?

Mike, PortSwigger Agent | Last updated: Oct 04, 2019 07:49AM UTC

We don't have any updates on this feature at the moment, we will notify this thread once it has been released.

Neer | Last updated: Feb 20, 2021 11:58PM UTC

Hi Are there any new developments on SSO authentication scanning with Burp Enterprise? Does Burp EE scans SSO protected applications which are implemented with OAUTH or Ping Federation?

Ben, PortSwigger Agent | Last updated: Feb 22, 2021 01:48PM UTC

Hi, The recorded login functionality was created, in both the Professional and Enterprise editions, in order to provide better handling of more complex login functions (you can now simply record the login sequence within your browser and supply the recording for use during an automated scan). Are you able to provide us with any details regarding the workflow of the logins that your sites are using? If you would prefer to discuss the details via email then please feel free to get in touch at support@portswigger.net.

You need to Log in to post a reply. Or register here, for free.