Burp Suite User Forum

Login to post

Discover content using basic HTTP authentication

Toon | Last updated: Jun 24, 2016 09:05AM UTC

Hello I'm trying to use the discover content functionality on a web site that uses basic http authentication. I entered the credentials in the Platform Authentication screen. When I run the discover content, all I get is 403 forbidden answers for all files. Does the discover content functionality uses the platform authentication or is there another way to enter the credentials?

PortSwigger Agent | Last updated: Jun 24, 2016 10:28AM UTC

Yes, the content discovery function uses the configured platform authentication for the relevant domain. Do you get a 403 response even for URLs that you know to exist? If you try requesting those URLs via Repeater, do you get a 403 error? If so, in either case, it suggests that you don't actually have the correct credentials configured.

Burp User | Last updated: Jun 28, 2016 09:33AM UTC

Hello It is (and was) working in fact. I was confused since all requests that return 403 are added to the site map (hunreds of files) and I missed the few requests that returned 200. Is it possible to ignore the 403 responses in the discover content menu so that they are not added to the site map?

PortSwigger Agent | Last updated: Jun 28, 2016 10:05AM UTC

The content discovery function tries to fingerprint invalid and valid responses, but in some situations gets this wrong and is adding everything to the site map for this application. We're aware of some edge case problems like this and have some pending tickets to address them.

You need to Log in to post a reply. Or register here, for free.