Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Scan authenticated application

asdf | Last updated: Jul 17, 2020 07:40PM UTC

I'm using Burp Enterprise to initiate a scan and would like to know how can I scan particular application (say app. "c") which is accessible from main authenticated application (say app. "m") Let say we have 5 small applications (a,b,c,d,e) that are accessible only after authenticated (username & password) through application "m" I tried couple of combinations (sites in Enterprise dashboard): 1. Site URL (highest-level) for application "m", added login credentials, included all URLs for application "c" 2. Site URL (highest-level) for application "m", no login credentials, included all URLs for application "c" 1. and 2. both have same scan results but how did it scan 2. without login credentials? 3. Site URL (highest-level) main URL for application "c", added login credentials, included all URLs for application "c" 4. Another site with Site URL (highest-level URL) for application "c", no login credentials, included all URLs for application "c" 3. and 4. both have same scan result as 1. and 2. but without "m" URL issues and not sure how it did scan 4. without login credentials. Thanks!!

Uthman, PortSwigger Agent | Last updated: Jul 20, 2020 10:56AM UTC

Can you please send us an email with screenshots of how you have set this up so far? You can reach us on support@portswigger.net Your first 2 scans definitely seem strange. However, it is likely that the first scan may not have used your credentials at all. Can you please send a copy of the event log for both scans? You can find this by selecting a scan > More actions > Download event log. Have you tried setting up a site with application C at the highest level, and application M included in the advanced scope?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.