Burp Suite User Forum

Login to post

Digest Auth in Burp was removed?

Kacper | Last updated: Feb 02, 2021 06:20PM UTC

Hi, What happened with Digest authentication support? https://portswigger.net/burp/documentation/desktop/options/connections "Supported authentication types are: basic, NTLMv1, and NTLMv2" In the previous versions it was supported (it is visible on this video for example: https://portswigger.net/support/configuring-ntlm-with-burp-suite). What is the alternative, except implementing it by myself? I don't see any Burp Extension for it.

Ben, PortSwigger Agent | Last updated: Feb 03, 2021 10:26AM UTC

Hi, We removed support for Digest authentication in version 2020.7. The reasons for removal were that it is a virtually obsolete protocol, our telemetry suggested that it was very rarely used and it was affecting our ability to refactor our HTTP stack. Having said that, we have had a couple of users ask for its return so we do currently have a feature request for this in our development system. We are currently monitoring demand for this - if demand is high then we may consider reimplementing this functionality. I will add your interest in this feature being reintroduced.

Ken | Last updated: Feb 10, 2021 07:00AM UTC

Count me in. I just encountered Digest Auth on a pen test and was very surprised to find out it wasn't supported.

Ben, PortSwigger Agent | Last updated: Feb 10, 2021 08:43AM UTC

Hi Ken, I have also added your interest in the reimplementation of Digest authentication. If we have any further news to share about this then we will update this thread.

Uthman, PortSwigger Agent | Last updated: Mar 23, 2021 11:29AM UTC

Hi,

Unfortunately, at present, we have decided not to reimplement Digest Authentication. Since it is largely an obsolete protocol, we have made the decision to keep it out of the platform authentication options.

This may change in the future and we will definitely keep you updated if it does.

I appreciate that this is not good news! If you have any feedback, I would be happy to pass it on to the product manager.

summer | Last updated: Jul 09, 2021 01:38PM UTC

Count me in, too. I didn't know that when I read this. I was searching local before version 2020.7.

Michal | Last updated: Aug 18, 2021 08:24PM UTC

> Since it is largely an obsolete protocol, we have made the decision to keep it out of the platform authentication options. Some ideas for a new Burp slogan: - Burp Suite helps finding vulnerabilities in modern and secure applications! - We designed Burp Suite to (only) support popular web application frameworks! - Our state of the art telemetry knows all your secrets ^w^wthe features you need!

Uthman, PortSwigger Agent | Last updated: Aug 19, 2021 08:59AM UTC

Hi Michal, Thank you for the feedback - I have added this directly to our development ticket so we will update this thread if anything changes in the future. Apologies for the inconvenience this is causing in the meantime.

Maeda | Last updated: Dec 07, 2021 08:57AM UTC

We may diagnose vulnerabilities in old websites. Digest authentication may be used at that time. Since Digest authentication has been deprecated, we are using an older version of Burp Suite. As a result, we will be using an older version of Burp Suite, so we will be using an older Scanner and will not be able to benefit from the Burp Scanner included in the latest version. We just hope for the return of support for Digest authentication.

pyno | Last updated: Dec 22, 2021 12:18PM UTC

Hi guys! While testing I was having the same issue with Digest authentication not being supported anymore. So I decided to wrote a Burp Suite extension to handle it, while keep testing with the latest Burp Suite version. You can find it here: https://github.com/pyno/http-digest-auth/, it allows to set credentials, and works with Repeater, Scanner and Intruder tools. Hope this helps! Cheers

You need to Log in to post a reply. Or register here, for free.