Burp Suite User Forum

Create new post

Burp Scaner with form credentials

Jonny | Last updated: Feb 24, 2020 03:11PM UTC

Hello, I am trying to do an entire application scan with the Burp Scanner. The Scanner can not bypass the Login of the application even tho I provided the right credentials on the Appliation Login potion in the Scanner. The Login is a simple form Login with username and password (really nothong special). The URL is domain/user/login and the POST Parameters are username&password. I tried several ways like here: https://forum.portswigger.net/thread/authenticated-session-spidering-scanning-d9c332df https://forum.portswigger.net/thread/authenticated-scanning-34381c9fcc1ea https://forum.portswigger.net/thread/login-on-website-scan-6bfca371ba8e88 https://portswigger.net/support/configuring-burp-suites-session-handling-rules Nothing seems to work so far. I am using Burp Professional v2020.1

GarlicCheese | Last updated: Feb 25, 2020 06:15AM UTC

I have the same issue. I run "crawl and audit", but the Burp Scanner touches nothing beyond the login page and does not try to authenticate with the provided credentials.

Ben, PortSwigger Agent | Last updated: Feb 25, 2020 08:29AM UTC

Hi, Are you able to provide us with some details of the web application that you are trying to scan? Do you know what language the site is written in? Is the login page JavaScript heavy?

GarlicCheese | Last updated: Feb 25, 2020 08:49AM UTC

For me it is a very simple HTML form login (parameters are called "user" and "pass", HTML form login button). No JavaScript, no additional parameters or data required. I'm afraid I can't provide you with an application link or the source code as I have signed an NDA. Basically the login is just a POST to /user/login, with the HTML Form parameters in the body. I've added the username and password on the "New Scan", "Application Login" with the label "login".

Jonny | Last updated: Feb 25, 2020 09:02AM UTC

The application we are using is writting in Java(Spring Boot). The Login Page does does not have any javascript or any other parameters then "username" and "password". The Content-Type is: application/x-www-form-urlencoded

Jonny | Last updated: Feb 25, 2020 09:23AM UTC

I justed used the Burp Logger++ extension to see, if the credentials I provide will be sent on the Scan. I can see that the right credentials will be sent(multiple times). The after the succsessful login the application responds with a 302 and a valid session cookie. It seems like Burp fails to scan/crawl the application furthermore with that valid session cookie. I just see a few Request where the crawler used the session cookie to send a GET Request to "/" which is the starting point of the application.

Ben, PortSwigger Agent | Last updated: Feb 25, 2020 09:53AM UTC

Hi, If you navigate to Target -> Site map within Burp and select the host that you are trying to scan, are there any entries for the login page? Whilst the scan is taking place, are any messages displayed in the Event log window that indicate whether a login form has been found or user credentials have been applied (you may need to switch on the Debug category to see these). If you want us to take a further look then you can switch on the crawl logging functionality and send us the resulting log file. To do this, launch a new scan and then select Scan configuration -> New -> Crawling, you will open up the New scanning configuration dialog. If you expand the Crawl Optimization section and then click the gear icon next to Crawl strategy. Within the resulting Crawl strategy tuning dialog, you can select the Enable logging checkbox and then select a location for the log file to be located. With this configuration in place please run the scan as normal and a crawler log file should be created in your specified location. If you could send this to us via email (support@portswigger.net) and we can take a look and see what the Burp crawler is doing during your scans.

GarlicCheese | Last updated: Feb 25, 2020 10:49AM UTC

I'm not sure if those issues are correlated, with "Embedded Browser Health Check" I get an Error for "Creating embedded browser documentation window" ``` Aborting checks due to errors. java.io.EOFException ```

Ben, PortSwigger Agent | Last updated: Feb 25, 2020 10:56AM UTC

Hi, Are you able to create another forum post or email us at support@portswigger.net with your embedded browser issue.

Jonny | Last updated: Feb 25, 2020 11:36AM UTC

Hello, yes there is the POST Request which handles the Login and the GET Request for the form on the Site map. Burp shows that a login form has been found at URL/user/login which is the corret URL for the login. In Logger++ I can also see that Burp used the corret credentials to login. I created a file as described above and will send it to support@portswigger.net .

Ben, PortSwigger Agent | Last updated: Feb 25, 2020 02:53PM UTC

Thanks Jonathan. We will take a look at the specifics in your email.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.