Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Microsoft login giving bad request with burpsuite

mufas | Last updated: May 14, 2024 09:29AM UTC

I am testing an application that utilizes microsoft login. At some point, microsoft login starts to give 400 bad request error for request GET login.microsoftonline.com/common/discovery/instance and the microsoft login page does not open. This reproduces with different browsers (Chrome, Chromium, Firefox) when the proxy is enabled through Burp suite. The same browsers without proxy work well. In this situation, I cannot log in to the application that I am testing. I am now using workaround to log in with another browser and copying authentication token(s) to the Burp's browser, but this is a bit of a workload. Has anyone else faced this problem? Is there any other workaround for this? I have also tried to empty Burp suite's cookie jar, but that did not work.

Hannah, PortSwigger Agent | Last updated: May 15, 2024 01:54PM UTC

Hi Does this initially start off working, and then after a certain period of time start to fail? Is this time period consistent, or does it vary? Do you have any extensions installed on your Burp installation?

mufas | Last updated: May 20, 2024 06:22AM UTC

Initially, this works. The time period where the login is working is something like 15-60mins. My hunch is that the error happens when user is logged out (with logout or session timeout) from the application under test and/or microsoft SSO. I have several extensions and following were active: Autorize (not in use though), Active scan++, SQLiPy, Hackvertor, Backlash powered scanner.

Hannah, PortSwigger Agent | Last updated: May 20, 2024 10:09AM UTC

Thanks for that information! If you unload all extensions, does the behavior persist? Does access become re-enabled after a certain period of time or after restarting Burp?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.