Burp Suite User Forum

Create new post

Connection to upstream proxy fails when "Crawl using my provided logins only" is disabled.

Zvi | Last updated: Mar 07, 2023 07:47PM UTC

Burp Enterprise Version: 2023.1 Build: 11718 Scanner version: 2023.1.3 Database: postgres Database version: 12.11 Kubernetes install. Bug description: We must use an upstream proxy for egress in order to be able to reach the scan targets. Custom scan profiles have been created with an upstream proxy configured. Scan profiles that have the option - "Crawl using my provided logins only" under "Crawling Optimizations" disabled result in scan and connectivity check failures due to scanner not being able to connect to an upstream proxy. Bug Impact: High This bug means that we cannot run scans from an external perspective, test login pages and test registration processes. How to reproduce: 1) Install Burp Enterprise in an environment that requires an upstream proxy for egress. 2) Create a custom scan profile with the correct upstream proxy configuration and "Crawl using my provided logins only" enabled. 3) Validate that the scan works as expected 4) Edit the custom profile and set "Crawl using my provided logins only" to disable 5) Relaunch a scan and observe that it would now fail 6) Pull your hairs out and yell why?!

Alex, PortSwigger Agent | Last updated: Mar 08, 2023 01:33PM UTC

Hi Zvi, Thanks for your post. This scan configuration option should not impact the use of an upstream proxy, but it can impact scans when used in conjunction with a recorded login sequence and an authentication mechanism that includes redirects. This is further conditional on how you have your URL scope set up in the site configuration. Does the application utilize SSO for which you have configured a recorded login sequence? Can you confirm which scan error failure message you observe in the UI? If you would like us to investigate further, you can send us your site configuration details and scan event/debug logs (accessed via the “logging” tab when viewing the scan) at support@portswigger.net, and we shall take a look. Best regards,

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.