Research Academy Daily Swig
My account Customers About Blog Careers Legal Contact

Burp Suite User Forum

Login to post

Scanner application login not trying all buttons

floyd | Last updated: Jan 13, 2021 04:50PM UTC

I have a website that has the following login form: <form id="example" name="example" method="POST" target="_self" action="https://example.org/e/?login" accept-charset="UTF-8"> <input type="text" name="username" class="form-control" autofocus="true" placeholder="E-mail"> <input type="password" name="password" class="form-control" value="" placeholder="Password"> <input type="submit" name="resetPwd" value="Forgot password?" class="btn-link"> <input type="submit" name="pwdlogin" value="Login" class="btn-primary"> </form> As you can see, nothing special, just a username field and a password field. Something that should be solveable by the Scanner's "Application login" and more specifically "Use login credentials (username & password" feature when doing the crawl. There is one challenge in this form: there are two submit buttons, one that is for password reset (when it is forgotten) and one that is for the login itself. The crawler crawls the form correctly. It also tries random values in the form and then presses both buttons on different tries. However, when using the user-supplied correct username and password, the crawler will only press the "resetPwd" button. Therefore, it will never login successfully. Please consider supplying the correct credentials and then press the first button but also supply the correct credentials and press the second button. I know there has to be some limit, but at least trying to press two or three buttons with the correct credentials (especially when the buttons are in the same <form> tag) should be worth a try. You only have to do this "extra" work when there are more than one submit button in the form.

Hannah, PortSwigger Agent | Last updated: Jan 14, 2021 10:51AM UTC

Hello Unfortunately, due to the way the Crawler works, it isn't possible to use more than one submit button when using the provided credentials. We take a "best guess" at what we think is the login form based on a few criteria (number of password fields, number of text input fields, number of dropdown selects, etc.), but because the "two" forms (one for each of the submit buttons) have identical fields, we consider them equally likely to be the login form. Unfortunately, there's not an easy, reliable way for us to pick one submit button over the other From what you've described, it sounds like the "Recorded login" functionality may be better suited for this use case.

floyd | Last updated: Jan 15, 2021 11:15AM UTC

Hi Hannah, Ok, I see. Hm, you say the crawler sees the submit buttons as "two" forms. They also have identical fields, yes. But they do not have identical submit button fields. One is called "resetPwd" and one is called "pwdlogin". Given that we are looking for a login functionality, wouldn't a heuristic make sense if you deem both equally likely (and only then)? Given that most of the world understood that it is a good idea to write program code in English, the heuristic could simply check if name.lower(), value.lower() and similar attributes contain "login" or "enter" or "accept" or "confirm" or "yes" and therefore is more likely the correct form? An alternative solution would be to allow the user to specify the button's attribute name in an advanced configuration for the application login configuration. So instead of only specifying username and password, it could allow specifying the name of the button. I would probably go for the heuristic as that doesn't need user input, but both is fine. PS: Btw. I would also appreciate if there would be an advanced configuration for the application login configuration for a (static) two-factor token. The crawler would simply paste this value into the next form that pops-up after the login. Some companies have these "two password" forms. It would also allow to specify a Hackvertor-Tag, that then pulls the real 2fa token from somewhere.

Hannah, PortSwigger Agent | Last updated: Jan 18, 2021 01:12PM UTC

Hi Floyd If you have a static 2FA you should be fine to use the recorded login sequence - when it replays, it will just repeat your actions. I've had a chat with our development team, and they've said this sort of use case is what they have built the recorded login functionality for. Rather than continually add support for every little "gotcha" (2fa, multiple submit buttons, multi-stage login, etc) we allow the user to record exactly what they need to happen.

You need to Log in to post a reply. Or register here, for free.