Burp Suite User Forum

Login to post

Burp Enterprise tool is not doing authenticated scans

Doddi, | Last updated: Dec 17, 2020 11:51AM UTC

Hi, I had configured burp enterprise scanner for one of our application and provided recorded login sequence since the application will redirect to single sign on page and redirect to main application page once authenticated. When i observed the scanned URL's , i have not seen any dynamic end points scanned by burp . I am able to see Request time out error on the login page end point. I believed Burp scanned only the .css page and other .js pages and havent scanned authenticated pages. Could you please provide more information why this is happening

Michelle, PortSwigger Agent | Last updated: Dec 17, 2020 01:24PM UTC

Thanks for your message. Could you tell us a little bit more about your setup, please? - Do you see any additional errors in the event log for the scan (Scan details -> More Actions -> Download event log)? - Are the agents installed on the same server as Enterprise? What OS are they installed on and how much RAM/CPU does the server have? - Is this a site you have previously scanned using Burp Suite Professional? If you would prefer to share these details directly, please feel free to email us (support@portswigger.net)

Doddi, | Last updated: Dec 17, 2020 02:32PM UTC

Hi, Our setup is pretty straight forward . My application use singlesignon for authentication , and once authenticated the sso will redirect to the main application . 1. I recorded login sequence starting from accessing the Main URL and providing credentials on sso page and then redirected to Main application 2. I am getting the below errors in event log: event_log_type,message,created_at,duplicate_count "INFORMATION","Crawl started.","December 17 2020 at 10:06:57","1" "INFORMATION","Recorded Sequence Creds started","December 17 2020 at 10:09:10","2" "ERROR","Failed to replay sequence Creds - unable to find Element{id="", name="", xPath="/html/body/div/portal-app/div/div/div/div[2]/ul/li[2]/a", href="https://regportalstaging.aws.dnb.com/app/#/invitations"} on the page","December 17 2020 at 10:10:01","2" "INFORMATION","Identifying items to audit.","December 17 2020 at 10:11:18","1" "INFORMATION","Crawl completed.", 3.Since we are trail checking Burp enterprise for continuous scanning , i installed agents on the same machine where i am running Burp enterprise. 4. OS is Microsoft windows server 2016 . CPU 2.50GhZ and RAM- 9GB free 5.Yes this site was previously scanned with Burp Suite Professional partially.

Doddi, | Last updated: Dec 17, 2020 04:10PM UTC

Hi Team, Could you please provide your thoughts why the Record sequence creds is failed

Liam, PortSwigger Agent | Last updated: Dec 18, 2020 11:08AM UTC

Please be aware of the following limitations before deciding to use recorded login sequences: -Recorded logins are not compatible with two-factor authentication, character-select passwords, or CAPTCHA. -Burp Scanner is currently unable to replay login sequences that rely on popups or <iframe> elements. -Depending on your authentication system, the repeated logins made during the scan may be flagged as suspicious. This could trigger additional authentication steps or anti-robot measures that the crawler is unable to handle. In this case, we recommend running the scan on a test instance with these checks disabled. Do any of the above limitations apply to your application? Is the application publicly accessible?

Doddi, | Last updated: Dec 18, 2020 11:49AM UTC

Hi , 1. Currently we dont have two-factor authentication or CAPTCHA 2. No popups or <iframe> elements during user login 3. The authentication mechanism is pretty simple and straight forward. a) when user access the Main application , the page will be redirect to single sign on page b) USer will authenticate on single sign on page by giving user id and password c) SSO page will be redirected to Main URL once authentication is successful . Currently we are running the scans on pre-prod environments which are not accessible over internet

Doddi, | Last updated: Dec 18, 2020 03:49PM UTC

Hi Team, I am unable to see Replay button to test the Recorded login sequence whether it is successful or not. I am using Burp Enterprise edition Version: 2020.11-5632, Java version: 9.0.4. Please let us know where can we find Replay button to test the Record login sequence

Michelle, PortSwigger Agent | Last updated: Dec 21, 2020 09:14AM UTC

Hi The replay button is a feature that is available in Burp Suite Professional if you have access to a copy. If you don't have access to a copy of Professional, we can set you up with a trial license so we can troubleshoot this in more detail with you.

You need to Log in to post a reply. Or register here, for free.