Burp Suite User Forum

Login to post

force logged in status for scan

Chris | Last updated: Jun 29, 2020 01:32PM UTC

When I scan my application it is always a bit unclear if the logged in version of the page was scanned too. I suspect that it was not in many cases, as all issues always are discovered on the non-logged-in version of the page. So my question is, how can I force burp to scan the logged in version only - or if that is not possible, how can I check if the logged in page was fully scanned? Cheers

Uthman, PortSwigger Agent | Last updated: Jun 29, 2020 01:48PM UTC

Hi Chris, Are you using Burp Pro? Or Burp Enterprise? Is the scanner correctly identifying the login form and using the credentials?

Chris | Last updated: Jun 29, 2020 02:09PM UTC

Hello I am using burp pro. Yes it seems the login page is detected - at least as far as I can tell from the crawling status (logged in crawl). Not sure what other ways there are to check if the login page is detected correctly - all private pages are public as well in our app. but in case of a not logged in user, a login form is displayed on that form. That login form seems to be not correctly detected - only the dedicated login page.

Uthman, PortSwigger Agent | Last updated: Jun 29, 2020 02:14PM UTC

Can you send us further details and screenshots via email, please? You can try running the scan again and monitoring the traffic through Flow/Logger++ (Extender > BApp Store). The login page should be mentioned in the Event log too if the filters are enabled.

Chris | Last updated: Jun 29, 2020 02:24PM UTC

Hello Ok, I will try that, If it won't work, I will send the details and screenshots via email. Thank you

You need to Log in to post a reply. Or register here, for free.