Burp Suite User Forum

Create new post

Locked due to many failed login attempts as soon as i scan my application

aravind | Last updated: Jan 24, 2018 09:09PM UTC

Issue 1: My application(https://test2.tstraining.com/) is getting locked due to many failed login attempts as soon as i scan my application. Am i sending bunch other invalid passwords ?? I see below article. I don't know whether it is useful on my case as I'm not finding any POST request with invalid password anywhere. https://support.portswigger.net/customer/en/portal/articles/2363088-configuring-burp-s-session-handling-rules Here is the error message i see. Your account has been locked due to too many failed login attempts. Please contact an administrator. Issue 2: I went to Proxy --> HTTP History. I see ONLY ONE login POST request. How to see all remaining requests ? Filter is already set to : Showing all items. POST / HTTP/1.1 Host: test2.tstraining.com Connection: close Content-Length: 34 Cache-Control: max-age=0 Origin: https://test2.tstraining.com Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: https://test2.tstraining.com/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: _ga=GA1.2.16534546.1516732197; _gid=GA1.2.1793642162.1516732197; _gat=1 Username=xx&Password=yyy

Liam, PortSwigger Agent | Last updated: Jan 25, 2018 10:59AM UTC

You can use Burp's Target Scope to exclude the login page from Burp Scanner. Got to Target > Scope > Exclude from scope > Add. - https://portswigger.net/burp/help/target_scope Please let us know if you need any further assistance.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.