Burp Suite User Forum

Login to post

How can I troubleshoot the "Did not find a login form"?

Jacob | Last updated: Mar 11, 2020 08:12PM UTC

Hello, How can I troubleshoot the "Did not find a login form" debug message from the event log? The crawl and audit only found 7 locations and issued 3534 requests before finishing. After starting an active scan from the site map of the same site in a branch of the site, the current scan has issued over 640,000 requests. Thank you!

Ben, PortSwigger Agent | Last updated: Mar 12, 2020 10:06AM UTC

Hi Jacob, Are you able to provide us with some more details about the site that you are trying to scan? Is it JavaScript heavy? Does the page itself have a standard login function?

Jacob | Last updated: Mar 12, 2020 03:45PM UTC

The page has a login form and does not appear to be JavaScript heavy. The login form on the page looks like this: <form name="login_form" action="j_security_check" method="post" autocomplete="off"> <table width="30%" align="center" border="0" cellspacing="0" cellpadding="5"> <tbody><tr> <td align="center" class="darkbold" colspan="2">User Login</td> </tr> <tr> <td align="right" class="candy">User Name</td> <td class="lite"><input name="j_username" onchange="javascript:this.value=this.value.toLowerCase().trim();" type="text" size="30" maxlength="30"></td> </tr> <tr> <td align="right" class="candy">Password</td> <td class="lite"> <input name="j_password" type="password" size="30" maxlength="30" redisplay="false">&nbsp;&nbsp; </td> </tr> <tr> <td align="center" class="lite" colspan="2"> <input type="submit" value="Submit">&nbsp;<input type="reset" value="Reset"> </td> </tr> <tr> <td class="lite" colspan="2">&nbsp;</td> </tr> <tr> <td align="center" class="candyline" colspan="2"> <a title="Click to reset your password." class="weblink" href="/app/forgotpassword.do">Forgot you password?</a> </td> </tr> </tbody></table> </form>

Ben, PortSwigger Agent | Last updated: Mar 12, 2020 06:37PM UTC

Hi Jacob, Thank you for the further information. Just to completely clarify the situation, if you switch off JavaScript running in your browser (let us know if you are not sure how to do this) and navigate to the site, does the site still function correctly and are you able to login? Essentially, the Burp Scanner does not traditionally handle JavaScript (and some more modern technologies) very well. To improve upon this we have been developing browser-driven navigation and started to include an experimental version of this in recent Burp releases. Currently, this functionality is switched off by default for the scanning process. You can switch this on by performing the following steps. If you launch a New scan from the Dashboard and then navigate to the Scan configuration section within the New scan dialog. You then need to select New -> Crawling to open the New scanning configuration dialog. If you then expand the Miscellaneous section and check the "Use browser based navigation (EXPERIMENTAL)" then that will enable this configuration. You can then configure the rest of your in the usual manner. As noted, this is still in the experimental stage but might give you better coverage of the site during the automated crawling phase. Please let us know how you get on. Cheers Ben Wright Technical Product Specialist PortSwigger Web Security

Jacob | Last updated: Mar 12, 2020 07:52PM UTC

After disabling JavaScript, I can still use the login page to authenticate and use much of the site functionality. I'll try the experimental functionality sometime soon.

Jason | Last updated: Jul 28, 2020 04:56PM UTC

That worked for me. Login page is lightly modified ASP.NET Core (3.1) Identity library.

David | Last updated: May 03, 2021 03:17PM UTC

Hi Ben, I'm scanning a site that reguires Javcscript to complete the singin. I disable Javascript on my browser and the Web Sites log in functionailtiy no longer worked. Is the option to select "EXPERIMENTAL" for Use browser based navigation an option? My scan did not perform the users authnenciation as expected. There were three account specified for authecation that used the Burp's Chrome Extension to create the Recorded Login Sequenece. I have a license for ZBurb Suite Professional and running version V2021.4.2 and not able to fund this option. Thanks, David Walaski

David | Last updated: May 03, 2021 03:17PM UTC

Hi Ben, I'm scanning a site that reguires Javcscript to complete the singin. I disable Javascript on my browser and the Web Sites log in functionailtiy no longer worked. Is the option to select "EXPERIMENTAL" for Use browser based navigation an option? My scan did not perform the users authnenciation as expected. There were three account specified for authecation that used the Burp's Chrome Extension to create the Recorded Login Sequenece. I have a license for ZBurb Suite Professional and running version V2021.4.2 and not able to fund this option. Thanks, David Walaski

Ben, PortSwigger Agent | Last updated: May 04, 2021 09:36AM UTC

Hi David, We turned on the use of the embedded browser by default, for scanning within Burp Professional, several versions back in order to improve the coverage for more modern sites so this should be being used for your scan. Are you able to provide us with any further details of your site and the recorded logins that you have created? Are you seeing any errors when you run your scan? Have you tested your recorded logins to make sure that they work prior to using them within the scan itself?

You need to Log in to post a reply. Or register here, for free.