Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Verify Authentication for Enterprise Edition

Security | Last updated: Mar 31, 2020 06:39PM UTC

I expect to see authentication details in /var/log/BurpSuiteEnterpriseEdition/enterpriseAgentAccess.log - however, for my scans I do not see any details being populated for scans that I provide login details. Need to validate that the scan is going forward w/ authentication as expected.

Michelle, PortSwigger Agent | Last updated: Apr 01, 2020 11:34AM UTC

If you view one of the scans, click on the 'More actions' button at the top right and choose 'Download event log' do the event logs show if the crawl has found the login form and show which username was used for the crawl?

Security | Last updated: Apr 01, 2020 03:19PM UTC

Hey Michelle, There it is! I guess I could make a custom scan that has very little info to try and get that information on the fly? I don't wanna wait for a scan to complete before I know the auth failed and it's just scanning a login page. Separately - why would burp not be able to find a login if it's being set directly to one? I've tried two sites with logins that are present but are not being picked up. I don't see auth failure; I see 'Did not find a login form' and 'Did not find a registration form'. https://cyxterafed.servicenowservices.com/csm https://cyxterafed.servicenowservices.com/csm?id=csm_login

Security | Last updated: Apr 01, 2020 08:50PM UTC

Double Post -- These forms appear to use JavaScript; is that a factor in the authentication failure?

Michelle, PortSwigger Agent | Last updated: Apr 02, 2020 08:24AM UTC

If JavaScript is used then that can be a factor in whether or not the Scanner is able to find the login form so it can be useful to test whether you can log into the site with JavaScript disabled. If JavaScript has to be enabled for the login to work, we have been developing browser-driven navigation to improve on this and this is on our roadmap for this year: https://portswigger.net/blog/burp-suite-roadmap-for-2020 We have started to include an experimental version of this in recent Burp Professional releases so if you have access to Burp Professional you could run a test crawl in Burp Professional to confirm the login form is found.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.