Burp Suite User Forum

Login to post

No REPLAY issues when configuring the scan, but "Failed to replay sequence" during the scan

Steven | Last updated: Jan 27, 2021 02:52PM UTC

We have no issues when we REPLAY the script during the scan configuration. However, I get two error messages when I kick off the scan: #1 "Failed to replay sequence - timeout occurred while navigating to https://" followed by... #2 "Failed to replay sequence - unable to find Element{id="submit", name="", xPath="/html/body/div/div(2)/div/div/div/erop-app/div(2)/div/div/div/ng-component/fieldset/div/div/form/div/div(2)/button(2)", href="")...

Uthman, PortSwigger Agent | Last updated: Jan 27, 2021 03:29PM UTC

Hi Steven, Can you please try running a headed crawl and send us a screenshot or screen recording of what is displayed when you hit those errors? Please send an email to support@portswigger.net You can enable a headed crawl under Crawling > Miscellaneous > 'Show the crawl in a headed browser' in your Crawling scan configuration.

Steven | Last updated: Jan 28, 2021 03:34PM UTC

Thanks for the follow up. A redirect to Microsoft is causing the issue. It appears that the AAD authentication screen is being rendered as a pop up.

Uthman, PortSwigger Agent | Last updated: Jan 28, 2021 03:35PM UTC

Thanks for that information. Unfortunately, that is currently a limitation of recorded logins - the inability to handle popups. We have registered your interest in a feature request to address this and we will update this thread when it has been implemented.

Chris | Last updated: May 04, 2021 12:38PM UTC

Good afternoon, I'm having the same issue where my web application authenticates using Azure Active Directory, do you know how far off a solution might be for this problem? Further to this I have a question. When I manually browse my site through the proxy, I can see that I get authenticated OK and can reach all parts of my site. If I then choose to audit the selected items (from my browsing session), will the results I get back be from the perspective of an authenticated user accessing the URL's? I'm trying to understand the scope of the results I'm getting back from the audit but I'm new to Burp Suite. Any help much appreciated. Thanks, Chris.

Uthman, PortSwigger Agent | Last updated: May 04, 2021 01:00PM UTC

Hi Chris, We are still working on implementing support for popups and I cannot provide an ETA, unfortunately. If you log in manually using the proxy, an authenticated session will be used in an active scan.

You need to Log in to post a reply. Or register here, for free.