Burp Suite User Forum

Login to post

Login on website Scan

Eric | Last updated: Sep 10, 2019 05:31PM UTC

I was trying out the website scan functionality and I entered the login credentials for a site. I then entered all the other data and started the crawl and audit. When it was on the Account\Login page it did not appear to ever pass the login credentials to the site. IT scanned all the it could bu never was able to see any of the pages that require the user to login. How does it know that it needs to enter the login credentials on the login page? Will this only work if I am running a live scan through the proxy?

Rose, PortSwigger Agent | Last updated: Sep 11, 2019 06:33AM UTC

Eric, thanks for your message. There are some cases in which further configuration is required to allow Burp to log in during a scan. I'll need a few more details from you, if possible? Did you configure your login details through the New scan > Application login? If so, can you provide details on the login mechanism. For example: - Is the authentication just a straightforward form that just requires a username and password and no other fields? - Does it require platform authentication? - Does your application / login page use JavaScript? If so, this isn't currently supported by Burp Scanner. You can test this by turning off JavaScript in your browser and checking if the application still functions.

James | Last updated: Feb 19, 2020 09:27AM UTC

Hey? I'm facing the similar issue. My application / login page uses JavaScript and it doesn't functions when I disable the javascript. Yet I want to use this feature of burp. Any other way?

Hannah, PortSwigger Agent | Last updated: Feb 19, 2020 09:40AM UTC

Hi, Have you tried enabling our experimental crawler? You can find this under "New scan configuration > Crawling > Miscellaneous > Use embedded browser for navigation (EXPERIMENTAL)". This should provide better coverage for JavaScript-heavy applications, and is continually undergoing improvements. As part of our roadmap for 2020 (https://portswigger.net/blog/burp-suite-roadmap-for-2020), we eventually intend for this to be made default.

Hannah, PortSwigger Agent | Last updated: Nov 20, 2020 08:43AM UTC

Hi Since v2020.8.1 of Burp Suite Professional, browser-powered scanning has been enabled by default. - https://portswigger.net/burp/releases/professional-community-2020-8-1

You need to Log in to post a reply. Or register here, for free.