Burp Suite User Forum

OAuth authentication

Vasant | Last updated: Mar 06, 2019 11:08PM UTC

At the moment, burp enterprise does not support Authenticated scanning with OAUTH and SSO. Going forward it is good to have a login sequence recorder to overcome such issues

PortSwigger Agent | Last updated: Mar 07, 2019 08:56AM UTC

I agree, this would be a good feature. This is on our development plan, although it may be a little while until we get to this. In the meantime, if you include the identity provider within your scope, Burp may be able to treat it as a normal login form.

Burp User | Last updated: Mar 07, 2019 10:43PM UTC

You mean, just add the identity provider's url to the scan scope?

PortSwigger Agent | Last updated: Mar 08, 2019 08:05AM UTC

Yes, that's worth a try. We'd be interested to know how you get on with that.

Burp User | Last updated: Mar 11, 2019 01:43AM UTC

Team, I added the Oauth provider to the scope. However, It still doesn't work. Looks like scanner does not support any other forms of authentication like SSO/OAuth or NTLM. Without support for these authentication types, one cannot perform authenticated scans on their sites. This has to be on your priority list.

PortSwigger Agent | Last updated: Mar 11, 2019 10:33AM UTC

Hi Vasant, You can use NTLM authentication. It's a little tricky to set up but I can provide instructions if needed. Unfortunately OAuth is not on our priority list. We are aware a few people are unable to scan their sites because of this. It will probably be some months until we get to this.

Burp User | Last updated: Apr 29, 2019 06:34PM UTC

I agree that this feature should be a top priority. In an enterprise environment, automated DAST really needs support for OAUTH and SSO in order to be useful in a CI/CD pipeline. Thanks!

Rose, PortSwigger Agent | Last updated: Apr 30, 2019 09:59AM UTC

Hi Phil, we've made a note of your request in our development backlog.

Liam, PortSwigger Agent | Last updated: May 28, 2019 09:52AM UTC

We have this feature on this years roadmap. We'll update you when we release the feature.

Burp User | Last updated: Jun 27, 2019 01:30PM UTC

Is there any progress on OAuth integration for Burp. I come across this quite a lot during pentests and it would be handy to have the automated scanner part of Burp...

You need to Log in to post a reply. Or register here, for free.