Burp Suite User Forum

Login to post

OAuth authentication

Vasant | Last updated: Mar 06, 2019 11:08PM UTC

At the moment, burp enterprise does not support Authenticated scanning with OAUTH and SSO. Going forward it is good to have a login sequence recorder to overcome such issues

PortSwigger Agent | Last updated: Mar 07, 2019 08:56AM UTC

I agree, this would be a good feature. This is on our development plan, although it may be a little while until we get to this. In the meantime, if you include the identity provider within your scope, Burp may be able to treat it as a normal login form.

Burp User | Last updated: Mar 07, 2019 10:43PM UTC

You mean, just add the identity provider's url to the scan scope?

PortSwigger Agent | Last updated: Mar 08, 2019 08:05AM UTC

Yes, that's worth a try. We'd be interested to know how you get on with that.

Burp User | Last updated: Mar 11, 2019 01:43AM UTC

Team, I added the Oauth provider to the scope. However, It still doesn't work. Looks like scanner does not support any other forms of authentication like SSO/OAuth or NTLM. Without support for these authentication types, one cannot perform authenticated scans on their sites. This has to be on your priority list.

PortSwigger Agent | Last updated: Mar 11, 2019 10:33AM UTC

Hi Vasant, You can use NTLM authentication. It's a little tricky to set up but I can provide instructions if needed. Unfortunately OAuth is not on our priority list. We are aware a few people are unable to scan their sites because of this. It will probably be some months until we get to this.

Burp User | Last updated: Apr 29, 2019 06:34PM UTC

I agree that this feature should be a top priority. In an enterprise environment, automated DAST really needs support for OAUTH and SSO in order to be useful in a CI/CD pipeline. Thanks!

Rose, PortSwigger Agent | Last updated: Apr 30, 2019 09:59AM UTC

Hi Phil, we've made a note of your request in our development backlog.

Liam, PortSwigger Agent | Last updated: May 28, 2019 09:52AM UTC

We have this feature on this years roadmap. We'll update you when we release the feature.

Burp User | Last updated: Jun 27, 2019 01:30PM UTC

Is there any progress on OAuth integration for Burp. I come across this quite a lot during pentests and it would be handy to have the automated scanner part of Burp...

Dave | Last updated: Apr 28, 2020 08:59AM UTC

We run all but two of our sites on OAuth and the two outliers will also be heading that way this year. Is there any movement on this? Even some kind of integration where we programmatically authenticate and pass a URL with bearer token in would be good.

Uthman, PortSwigger Agent | Last updated: Apr 28, 2020 09:36AM UTC

The Enterprise team has started working on directory integration and will hopefully implement the feature towards the latter half of this year. Our scanner team is currently working on improving authentication support by implementing a recorded login feature. Both will need to be fully tested so I cannot provide a definitive date on when the features will be implemented. You can check out the full 2020 roadmap here: https://portswigger.net/blog/burp-suite-roadmap-for-2020.

Scott | Last updated: Jul 27, 2020 05:34PM UTC

+1 for this feature

ADIA | Last updated: Jul 28, 2020 04:04AM UTC

Another +1 for this one.

Sacha | Last updated: Aug 06, 2020 03:53PM UTC


ADIA | Last updated: Sep 17, 2020 10:42AM UTC

Hey Portswigger team. I just wanted to do a cautiously optimistic check-in on this request. Are there any timelines for potentially supporting this functionality? I'd be happy to Beta test for you :) As many users have noted before, in enterprise environments there is a significant drive towards modern authentication mechanisms in apps and if my security tools can't support that or configuration is a nightmare, teams just aren't going to bother using these security tools in their pipelines.

Uthman, PortSwigger Agent | Last updated: Sep 17, 2020 10:47AM UTC

Our recorded login feature should help with this. We are aiming for a release before the end of the month. Unfortunately, we do not have a beta testing program but we are very close now! We appreciate that this is a popular, and necessary, feature. Thanks for your patience!

You need to Log in to post a reply. Or register here, for free.