Burp Suite User Forum

Login to post

Issue with recording/replaying login sequence.

Kurządkowski, | Last updated: May 05, 2022 02:38PM UTC

Hello everyone, I'm having trouble replaying the login sequence for Burp 2022.3.6 on https://logowanie.nn.pl. When I click the "Replay" button, Chrome does not play the login sequence. Step to reproduce: 1 - Record the login sequence using the plugin (I tested with the plugin on "normal" Chrome and Chrome in Burp). - Username on "Adres e-mail, PESEL lub nr Klienta" - Password on "Hasło" - Click "Zaloguj się" button to log in. 2 - Create a new scan, paste the login script, click reply. 3 - Chrome loads the page, but does not display the login forms. Other sites works fine. Example login sequence (with fake credentials): [ { "name": "Burp Suite Navigation Recorder", "version": "1.4.18", "eventType": "start", "platform": "Win32", "iframes": [], "windows": [ { "windowId": 29 } ], "tabs": [ { "tabId": 30, "windowId": 29 } ] }, { "date": "2022-05-05T14:10:40.224Z", "timestamp": 1651759840224, "eventType": "goto", "url": "https://logowanie.nn.pl/", "triggersNavigation": true, "frameId": 0, "tabId": 30, "windowId": 29, "fromAddressBar": true }, { "date": "2022-05-05T14:11:00.541Z", "timestamp": 1651759860541, "windowInnerWidth": 1920, "windowInnerHeight": 969, "uniqueElementID": "c84yyvoxc9-2gqkyxqsnsw-x191hx6efr", "tagName": "LABEL", "eventType": "click", "tagNodeIndex": 0, "className": "", "id": "", "frameId": 0, "tabId": 30, "textContent": "Adres e-mail, PESEL lub nr Klienta", "innerHTML": "Adres e-mail, PESEL lub nr Klienta", "xPath": "/html/body/div/div/div/div/main/div/div/div/section/section/form/div/div/div/div/label", "ariaSelector": "aria/Adres e-mail, PESEL lub nr Klienta", "triggersNavigation": false, "triggersWithinDocumentNavigation": false, "shiftKey": false, "ctrlKey": false, "altKey": false, "metaKey": false, "windowId": 29, "url": "https://logowanie.nn.pl/", "isIframe": false }, { "date": "2022-05-05T14:11:03.603Z", "timestamp": 1651759863603, "windowInnerWidth": 1920, "windowInnerHeight": 969, "uniqueElementID": "2xz2zt83axi-dv6ol0xjqpf-862sirh4z9l", "tagName": "INPUT", "eventType": "typing", "placeholder": " ", "tagNodeIndex": 0, "className": "nn-text-field Input_module_formControl__35302911", "name": "username", "id": "d9f739b4-d1fb-4170-9de5-0e3b05887a8c", "frameId": 0, "tabId": 30, "textContent": "", "innerHTML": "", "value": "", "elementType": "text", "xPath": "/html/body/div/div/div/div/main/div/div/div/section/section/form/div/div/div/div/input", "triggersNavigation": false, "triggersWithinDocumentNavigation": false, "typedValue": "ExampleLogin", "windowId": 29, "url": "https://logowanie.nn.pl/", "isIframe": false }, { "date": "2022-05-05T14:11:05.724Z", "timestamp": 1651759865724, "eventType": "keyboard", "shiftKey": false, "ctrlKey": false, "altKey": false, "metaKey": false, "key": "Tab", "charCode": 0, "frameId": 0, "windowId": 29, "url": "https://logowanie.nn.pl/", "isIframe": false }, { "date": "2022-05-05T14:11:06.083Z", "timestamp": 1651759866083, "windowInnerWidth": 1920, "windowInnerHeight": 969, "uniqueElementID": "uznqw87kp17-cgqao5sm8gh-tcqgxc2mhnh", "tagName": "INPUT", "eventType": "typing", "placeholder": " ", "tagNodeIndex": 1, "className": "nn-text-field Input_module_formControl__35302911", "name": "password", "id": "ca3d055c-023a-4701-8c56-545e1380ea62", "frameId": 0, "tabId": 30, "textContent": "", "innerHTML": "", "value": "", "elementType": "password", "xPath": "/html/body/div/div/div/div/main/div/div/div/section/section/form/div/div/div[2]/div/div/input", "triggersNavigation": false, "triggersWithinDocumentNavigation": false, "typedValue": "ExampleP{assword", "windowId": 29, "url": "https://logowanie.nn.pl/", "isIframe": false }, { "date": "2022-05-05T14:11:15.907Z", "timestamp": 1651759875907, "windowInnerWidth": 1920, "windowInnerHeight": 969, "uniqueElementID": "4kjlnfstcc-a2t1v9uw0n-rht5rflucyk", "tagName": "BUTTON", "eventType": "click", "tagNodeIndex": 0, "className": "Button_module_btn__842e5474 Button_module_btnPrimary__842e5474 Button_module_btnLg__842e5474 LoginForm_formButton__3_k_m", "name": "", "id": "", "frameId": 0, "tabId": 30, "textContent": "Zaloguj się", "innerHTML": "Zaloguj się", "value": "", "elementType": "submit", "xPath": "/html/body/div/div/div/div/main/div/div/div/section/section/form/div/div[2]/button", "ariaSelector": "aria/Zaloguj się", "triggersNavigation": false, "triggersWithinDocumentNavigation": false, "shiftKey": false, "ctrlKey": false, "altKey": false, "metaKey": false, "windowId": 29, "url": "https://logowanie.nn.pl/", "isIframe": false } ]

Uthman, PortSwigger Agent | Last updated: May 05, 2022 05:19PM UTC

Hi Andrzej,

Can you share the information below to help us investigate your recorded login issue further, please?

  • Perform a login using a normal browser (without Burp configured) and capture the requests in the Developer Tools > Network tab. You should be able to export these as a HAR archive. It may also be worth sending screenshots of the Logger in Burp when the scan is running so that we can see the requests matching up to when the recorded login sequence fails
  • An HTML snippet of the login form
  • The login script (JSON) exactly as it is pasted into Burp
  • A screen recording of the login sequence replayed (please use the 'Replay' button in Burp Pro – visible under Application Login when you select your recorded login sequence)
  • A screenshot of the Event log (if any errors are visible)
  • How many locations, if any, are found after logging in?
  • Does the application/site use a WAF?
  • Do you have any other extensions enabled? Are these required as part of the login process? E.g. Add Custom Header
  • Are there any popups in the login process?
  • Is an account lockout policy set up on the user account being used?
  • Have you edited the JSON script from the default that is output via the recorder/extension?
  • If you run a headed crawl (in your crawling configuration, select Miscellaneous > Embedded Browser Options > Show the crawl in a headed browser), do you physically see any error messages in the browser when the login fails? If so, can you please share some screenshots?
  • Are you scanning a single-page application? Does your application send XHR requests? Is it built on frameworks like React and Angular?
  • If our developers need to replicate this on their machines, are you okay with us using the login script you have provided? Do we have your permission to run a crawl on the site?
  • Crawl logs by running the scan in Burp Pro. You can enable debug mode via Dashboard > New scan > Scan configuration > New > Crawling > Crawl Optimization > click the cog button > Enabling logging

Please email us at support@portswigger.net. We'll review the details and get in touch with further information/suggestions once we have reviewed the information you have provided.

Let me know if you have any questions!

You need to Log in to post a reply. Or register here, for free.