Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Scan when you have authentication problems

Alberto | Last updated: Feb 24, 2021 11:09AM UTC

Hello everybody. Reading various articles on this forum I noticed that there is often talk of the fact that some authentication forms that rely "heavily" on JavaScript, are not identified within the page. Now, I wonder, if I go to visit a site manually and this is slowly added to the SiteMap, the moment I click on an item within the sitemap and do an active scan, this works as if it were authenticated or risk to give only errors due to the fact that it fails to do the authentication? Also because, apparently, by doing so I found myself many False Positives and they all seemed to me due to an attempt to access certain resources without having the authorization. Ty :)

Uthman, PortSwigger Agent | Last updated: Feb 24, 2021 11:33AM UTC

Hi Alberto, If you manually authenticate against the site/application and then an authenticated endpoint is captured, if you then launch an active scan then Burp will be operating as if it were authenticated (e.g. the appropriate cookies, headers, etc... would be in the requests made that would mimic the authenticated user). Have you considered using the recorded login functionality to automate this? Is your login form not being detected through a Crawl and Audit? - https://portswigger.net/burp/documentation/desktop/scanning/recorded-logins

Alberto | Last updated: Feb 24, 2021 02:55PM UTC

Hi and ty for your answer. I realized that the active scan actually works as if the user is authenticated. In any case only as long as the cookies are valid or until the site closes the session. But after a while that I do the active scan, it starts giving errors as if the authentication is no longer valid and checking in the browser where I was logged in, I find myself being logged out. It's probably some defense rule of the site that I'm testing. About the Login, I tryed to record the login using the burp functionality. After capturing the login sequence, I tried to test it as in the link you kindly gave me. The problem is that at the first test, using the Replay button, it would seem to work because at least it enters the data, however it does not go beyond the insertion and in fact it seems not to click on the Login button. If I try to repeat the replay the second time with the same login sequence, it no longer even inserts the data, as if the same sequence had changed using it. I think at this point I will keep testing manually without using any scan

Uthman, PortSwigger Agent | Last updated: Feb 24, 2021 03:10PM UTC

Hi Alberto, Thanks for that information! If you would like us to investigate the recorded login issue further for the site, you can email us on support@portswigger.net In relation to your first issue, it is very likely that there could be an account lockout policy set up that eventually results in the need to be reauthenticated. If you watch the crawl in a headed browser (Crawling > Miscellaneous > Show the crawl in a headed browser), you should be able to see any errors more clearly.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.