Burp Suite User Forum

Login to post

Macro Authentication in Burp Suite Pro/Enterprise?

Jason | Last updated: Sep 14, 2021 03:51AM UTC

Hi all, I'm interested in using Burp Suite Enterprise or Professional to be the method of performing authenticated scans as part of a regulatory compliance program. Having a clear indication of successful authentication to the host being scanned is a must. I've attempted to create an authentication script using the Burp extension. The issue is that one of the sites uses a popup menu in order to present the application login form. Since this is an ASP.NET application, the username/password forms used to submit the request with the credentials are not found once Burp tries to run the sequence. My understanding is that this feature is planned on being addressed in Q3 of 2021 (2022?). My question from here is whether or not it's possible to use session handling rules to handle authentication. Namely, can the captured request that performs authentication be saved as a macro into a session handling rule that is then passed to the scan configuration? This seems like a straightforward approach to handling authentication. Please let me know if this is possible as I'd love to be able to use Burp Suite Enterprise as the scanner for this organization. Thanks in advance!

Michelle, PortSwigger Agent | Last updated: Sep 14, 2021 10:22AM UTC

Thanks for your message. Although session handling rules can be used in Burp Suite Professional, these are not available in Burp Suite Enterprise. It would be good to find out more about your specific use case and the details of the authentication sequence so we can look into which options may be best for you. Could you send an email to support@portswigger.net with a bit more detail, please?

Jason | Last updated: Sep 14, 2021 03:48PM UTC

Thanks for the response - I've emailed support.

Jason | Last updated: Sep 14, 2021 03:48PM UTC

Thanks for the response - I've emailed support.

Michelle, PortSwigger Agent | Last updated: Sep 15, 2021 10:22AM UTC

Thanks! We've received your email so we'll take a look and be in touch soon.

You need to Log in to post a reply. Or register here, for free.