Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burpsuite and Keycloak

Darren | Last updated: Mar 18, 2020 10:44AM UTC

All, I'm new to Burpsuite, and have tried this several times to Scan and Audit. I enter the username and password in the New Scan window (there is a label field, I think this is just a name and not a field in the screen) When i run the Scan this only shows the login page has been scanned and not used the username and password. What am I doing wrong??? Thanks

Uthman, PortSwigger Agent | Last updated: Mar 18, 2020 11:20AM UTC

Hi Darren, Can you provide some more details about the architecture of the application? How does it work? What type of authentication does it use? Does it use JavaScript?

Darren | Last updated: Mar 19, 2020 08:04AM UTC

Hi, thanks for getting back to me. I am using OpenID to connect to a Hasura database. The site uses quite a lot of cookies and tokens, but I thought the scan would just log in as a normal client would see so therefore I wouldnt need the cookies mapping. There is a bit of JavaScript in the website, but uses normal HTML to log in (redirects and referrers in the headers) Thanks

Darren | Last updated: Mar 19, 2020 08:09AM UTC

The Scan window uses a username and password am I using this correct by assuming the the Label field is just a text field and the username and password are the ones i can use in the website. Thanks

Uthman, PortSwigger Agent | Last updated: Mar 19, 2020 10:19AM UTC

Can you double-check that the application supports one of the accepted authentication types listed at the link below? - https://portswigger.net/burp/documentation/desktop/options/connections#platform-authentication You are correct, the Label field is just an arbitrary text field for your reference. Can you try specifying the exact login form under URLs to scan?

Darren | Last updated: Mar 19, 2020 03:27PM UTC

Thanks for this, I've spoken to the Development team and out AUT doesnt use any of the protocols that we use in the application. It was worth a try to see if we could use this application. Thanks

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.