Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

too many login attempt retries for a captcha protected site during automated scanning

Jennifer | Last updated: Oct 20, 2021 04:23PM UTC

I am not sure this is a bug or not. I was scanning a client's web app/url that has logging in with credentials plus captcha. I had manually spidered the site for this reason, using credentials and manual captcha obviously. I know automated scanning typically will not make it past captcha from reading your documentation. I decided to try an automated scan on it anyway, once I had a site map of my target...using right click (in the site map of target) "actively scan this host". This is a fairly interactive website with embedded/constantly changing videos, etc. By the time the scan concluded, there were something like over 100K requests sent by burp as part of the scan, and ultimately the client emailed me and said "hey we have so far 12,000 requests from you to access our site without logging in" and "can you please stop" :) Seems like burp would give up before 12,000. I suspect that this is because each time it tried to access something different behind captcha, the client got that error/notice. But still. Thoughts? Do you think this is what was happening....? Is there a way to confirm my theory? Thank you!

Ben, PortSwigger Agent | Last updated: Oct 21, 2021 09:59AM UTC