Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

force logged in status for scan

Chris | Last updated: Jun 29, 2020 01:32PM UTC

When I scan my application it is always a bit unclear if the logged in version of the page was scanned too. I suspect that it was not in many cases, as all issues always are discovered on the non-logged-in version of the page. So my question is, how can I force burp to scan the logged in version only - or if that is not possible, how can I check if the logged in page was fully scanned? Cheers

Uthman, PortSwigger Agent | Last updated: Jun 29, 2020 01:48PM UTC

Hi Chris, Are you using Burp Pro? Or Burp Enterprise? Is the scanner correctly identifying the login form and using the credentials?

Chris | Last updated: Jun 29, 2020 02:09PM UTC

Hello I am using burp pro. Yes it seems the login page is detected - at least as far as I can tell from the crawling status (logged in crawl). Not sure what other ways there are to check if the login page is detected correctly - all private pages are public as well in our app. but in case of a not logged in user, a login form is displayed on that form. That login form seems to be not correctly detected - only the dedicated login page.

Uthman, PortSwigger Agent | Last updated: Jun 29, 2020 02:14PM UTC

Can you send us further details and screenshots via email, please? You can try running the scan again and monitoring the traffic through Flow/Logger++ (Extender > BApp Store). The login page should be mentioned in the Event log too if the filters are enabled.

Chris | Last updated: Jun 29, 2020 02:24PM UTC