Burp Suite User Forum

Login to post


Horst | Last updated: Dec 23, 2019 06:59PM UTC

Hello! I urgently need your Help! I try to get all Sites from an Website, but apparently the restricted section of this Website is not shown in my SiteMap. Eventhough I am passing the Credentials to Burp while Scanning. Thanks for your Help

Liam, PortSwigger Agent | Last updated: Dec 24, 2019 03:24PM UTC

Horst, which version of Burp are you using? How are you passing the credentials to Burp?

Burp User | Last updated: Dec 28, 2019 09:19AM UTC

I am using Burp Professional v2.1.04, and I am passing the credentials to Burp within a new Scan, while Scan and Audit with the Application Login part.

Hannah, PortSwigger Agent | Last updated: Jan 02, 2020 08:40AM UTC

Does the site you are attempting to scan use JavaScript in order to log in? If you disable JavaScript, are you still able to log in as normal?

Burp User | Last updated: Jan 02, 2020 03:26PM UTC

yes, I disabled JavaScript and the website and the log in still worked.

Hannah, PortSwigger Agent | Last updated: Jan 02, 2020 03:26PM UTC

Is it a simple logon (ie just username and password) or are there other steps involved? If you passively scan the website, are you able to see the traffic details come through your proxy and populate your sitemap? (New live task > Live passive crawl > Navigate website in your proxied browser)

Burp User | Last updated: Jan 04, 2020 09:02AM UTC

Yes, it's just a simple login, I just need to provide username and password. If I passively scan the website, the private content can be viewed.

Ben, PortSwigger Agent | Last updated: Jan 06, 2020 10:45AM UTC

Hi, Is the website that you are having issues with public-facing and, if so, are you able to give us details of the site (if you would prefer to do this by sending an email to support@portswigger.net then please feel free)? There is a possibility that Burp is not recognizing the login page and, therefore, not applying the credentials during the crawl phase but if it is a simple username/password login with no JavaScript involved then this would seem unlikely. If you can provide us with further details of the site then we can investigate this. If this is not going to be possible, then you could look to install the Logger++ extension, rerun the scan and monitor the requests that are being sent to check whether Burp is attempting to perform a login.

You need to Log in to post a reply. Or register here, for free.