Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Does Burp Suite Enterprise support authenticated scans of MeteorJS applications?

Alex | Last updated: Oct 05, 2020 08:53PM UTC

Applications built on the Meteor framework typically store the authentication token in localStorage, as opposed to a cookie, and heavily leverage DDP/WebSockets for application functionality. Does Burp Suite Enterprise support authenticated active scans of applications written in this framework?

Michelle, PortSwigger Agent | Last updated: Oct 06, 2020 01:46PM UTC

We don’t currently support localStorage as a way of handling authenticated paths. Although we’re using a browser that will have local storage out of the box you may see it work in some areas but as we don’t currently clear it when trying new paths this probably wouldn’t work as expected. This is something that’s on our roadmap but I can’t provide specific timescales just yet. We do plan to add support for web sockets on pages, but again I can’t give any timescales for this work. In the meantime, if Meteor falls back to polling when a WebSocket connection can’t be made then you may see some areas where this works (e.g. in the case of a notification rather than functionality) but if the WebSockets are being used to drive content then would be unlikely to work as intended. Please let us know if you have any further questions.

Ben | Last updated: Mar 15, 2022 05:00PM UTC

Hi Michelle, Is this still the case? Has there been any updates to Burp Suite Pro to support authentication using localstorage?

Alex, PortSwigger Agent | Last updated: Mar 16, 2022 10:51AM UTC

Hi Ben, An update was applied in regards to sessions utilizing localstorage - if you are experiencing issues with the latest version you can send the details to support@portswigger.net and we shall investigate for you. Thanks

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.