Burp Suite User Forum

Login to post

Test third party login page

Lalit | Last updated: Jun 29, 2020 11:05AM UTC

Hi team, In one of our project, we have implemented a login page which calls an external API to load the HTML and validate if user is registered with us or not. for login, we have to enter the user id , password and OTP(user receives it via phone/Email) Once user is logged in successfully then it loads the specific pages for the user so how can i perform the security testing where user has to enter his user id ,password and one time password everytime, he logins in. Your early response is really appreciated Thanks

Uthman, PortSwigger Agent | Last updated: Jun 29, 2020 11:42AM UTC

Hi Lalit, Unfortunately, the scanner does not support a login sequence with a third step like the one you describe. We are working on improvements for the scanner to allow a wider range of authentication processes to be handled (the recorded login feature on our roadmap: https://portswigger.net/blog/burp-suite-roadmap-for-2020). However, an OTP token is likely out of scope unless it is a static token that does not update every e.g. 30 seconds. If you scan the URL, does the scanner correctly identify your login form? Can you temporarily disable the OTP whilst you are testing the site? What type of testing are you trying to perform?

You need to Log in to post a reply. Or register here, for free.