Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Does Burp Suite Enterprise support authenticated scans of MeteorJS applications?

Alex | Last updated: Oct 05, 2020 08:53PM UTC

Applications built on the Meteor framework typically store the authentication token in localStorage, as opposed to a cookie, and heavily leverage DDP/WebSockets for application functionality. Does Burp Suite Enterprise support authenticated active scans of applications written in this framework?

Michelle, PortSwigger Agent | Last updated: Oct 06, 2020 01:46PM UTC

We don’t currently support localStorage as a way of handling authenticated paths. Although we’re using a browser that will have local storage out of the box you may see it work in some areas but as we don’t currently clear it when trying new paths this probably wouldn’t work as expected. This is something that’s on our roadmap but I can’t provide specific timescales just yet. We do plan to add support for web sockets on pages, but again I can’t give any timescales for this work. In the meantime, if Meteor falls back to polling when a WebSocket connection can’t be made then you may see some areas where this works (e.g. in the case of a notification rather than functionality) but if the WebSockets are being used to drive content then would be unlikely to work as intended. Please let us know if you have any further questions.

Ben | Last updated: Mar 15, 2022 05:00PM UTC

Hi Michelle, Is this still the case? Has there been any updates to Burp Suite Pro to support authentication using localstorage?

Alex, PortSwigger Agent | Last updated: Mar 16, 2022 10:51AM UTC