Research Academy Daily Swig
My account Customers Account and subscription management About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Login to post

View users in Active Directory Security Group

Taylor | Last updated: Jul 21, 2020 01:16PM UTC

I greatly appreciate the development that has been going into Burp Suite, especially the latest update that brought LDAP authentication. With that said, myself and my team members that use the application would love to see a few enhancements to that feature. Such as being able to view which users are in a given Active Directory security group. Currently in the Team -> Groups view it shows the number of users e.g. "Users (2)", though when you click on the tab it only shows the text "Click here to add users..."

Uthman, PortSwigger Agent | Last updated: Jul 21, 2020 01:30PM UTC

Hi Taylor, The Team > Groups tab will only show local users (i.e. non-AD users). The users in an AD security group will only be visible on the AD server itself. Do you have a specific use-case for this?

Taylor | Last updated: Jul 22, 2020 07:24PM UTC

I would like to be able to check which users are part of a particular group while in Burp Suite Enterprise vs. switching over to Active Directory for a quick glance. Another use case is if a non-admin user wants to see which users are in their user group within Burp, they aren't going to know to look at the user group in Active Directory. Thanks for hearing me out!

Uthman, PortSwigger Agent | Last updated: Jul 23, 2020 09:11AM UTC

Thank you for the request and further information. I have raised a feature request on your behalf. We will track the popularity of this and update the thread if/when the feature is implemented.

Akamsiri | Last updated: Mar 13, 2023 10:39AM UTC

I’d like to disable the internal users completely as we don’t want to use local accounts for security reasons. We have added three groups in LDAP which we have added as groups in Burp (i.e. Admin (has admin+ site maintainer access), Viewer (Scan Viewer permission) and Scan Initiator (Scan initiator + Result editor permissions)) Currently even though we have 5 users in the LDAP admin group which have admin permissions in the Burp Application, we cannot disable the local administrator user. This is because the application requires at least one user with admin permissions. Could you please advise on how we can achieve no local users in Burp Application and additionally see the users who have logged into the application at least once? This may translate into another requirement (i.e. I need to have audit history on user login to BurpSuite Application for LDAP users, Currently I have zero information on this from the application).

Alex, PortSwigger Agent | Last updated: Mar 13, 2023 11:31AM UTC

Hi Akamsiri, As you have mentioned, you cannot disable the local Administration user, so you will always have at least one local user configured. This is to ensure access to the application is available in the event that a problem occurs with SSO integration. Do you have a requirement to restrict the configuring of local users completely, or would the option of SSO users only being able to see an LDAP/SAML login page be suitable (so you would still have a local admin user, but your SSO users wouldn't be aware/see this option)? Regarding user action auditing, we do have an open feature request and plan to implement this functionality. I don't have an exact time frame to share with you, but I have added your ticket to our tracker. Best regards,

You need to Log in to post a reply. Or register here, for free.