Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

We know that,login authetication is must for crawling and scaning . So what are the different ways for authentication . for example we need to provide the just login details and base url then it will do the crawling and scanning and i also read about macr

Sukhwinder | Last updated: Jul 02, 2021 06:39PM UTC

We know that,login authetication is must for crawling and scaning . So what are the different ways for authentication . for example we need to provide the just login details and base url then it will do the crawling and scanning and i also read about macro for same can any one exaplain the all different ways for same

Michelle, PortSwigger Agent | Last updated: Jul 05, 2021 08:57AM UTC

Thanks for your message. As a starting point you might find these articles useful, this first one explains the options for application logins (username and password and recorded login) https://portswigger.net/burp/documentation/desktop/scanning/scan-launcher#application-login-options These links discuss recorded login sequences in more detail: https://portswigger.net/burp/documentation/desktop/scanning/recorded-logins https://portswigger.net/blog/recorded-logins-in-burp-scanner If you are scanning a site that uses platform authentication, this can also be configured within Burp: https://portswigger.net/burp/documentation/desktop/options/connections#platform-authentication If the site is more complex then you may find session handling rules and macros can be useful: https://portswigger.net/burp/documentation/desktop/options/sessions https://portswigger.net/support/configuring-burp-suites-session-handling-rules I hope these resources help. If you have any questions as you start trying to set up authentication for your scans, please let us know.

Sukhwinder | Last updated: Jul 11, 2021 05:59PM UTC

Thanks Michelle for the reply, As i have manually crawled the website with proxy. so i have set of urls for scanning in target tab . those urls are captured after login with proxy . so now i closed proxy . so in scan launcher, when i select only audit , it disables the application login tab. so during scan from where application will authenticated?

Sukhwinder | Last updated: Jul 11, 2021 06:10PM UTC

Summary of your post. Correct me if I missed something . There are three ways for login authentication. Launch the scanner then Users can use the 1. application login with credentials 2. Authentication with recorded login 3. Macros. The above three can be used based on the login complexity of the website. And also assuming that once we authenticated for crawl then it will automatically work for scan also.

Sukhwinder | Last updated: Jul 13, 2021 06:27AM UTC

Regarding report. As we can extract report severity wise, URL wise so there is one more category like confidence. So during the analysis of the issues report . I need more clarity of issues What does this mean? 1. certain: so what can I understand from certain type issues what is the logic behind this for finding the certain issue 2. Firm: so what can I understand from firm type issues what is the logic behind this for finding the firm issue 3. Tentative: so what can I understand from Tentative type issues what is the logic behind this for finding the Tentative issue

Ben, PortSwigger Agent | Last updated: Jul 13, 2021 12:27PM UTC

Hi Sukhwinder, With regards to your first forum post - Burp is capturing the requests generated whilst you are performing your manual crawl of the site and then simply using these existing, captured requests during the subsequent automatic audit that you perform. Session handling information that is captured in the initial requests would be reused for this auditing process so the option to authenticate at any point during this process is not available (Burp is not 'path aware' in this mode of operation and does not know how a certain location has been reached within a site). In this situation, if you are finding that Burp is not maintaining session (perhaps the session mechanisms have expired between the manual crawl and automated audit) then you would likely need to look into creating session handling rules to firstly determine if Burp is still authenticated during the audit and, if it is not, the steps to re-establish a session. With regards to your second forum post - that sounds like a good summary of the situation. If you perform a full crawl and audit of your site then you can use either credential authentication or recorded login authentication in order to handle logging in during a scan (Burp is 'path aware' when performing a full crawl and audit so can rewalk paths in order to reach parts of your application and has the ability to automatically re-establish a session). With regards to your third forum post - the following information should help you with the Issue Confidence levels: - Tentative - The issue is potentially present but there is a high chance that this could be a false positive. - Firm - The issue is probably present, but this could be a false positive. - Certain - The issue is definitely present.

Sukhwinder | Last updated: Jul 14, 2021 04:21PM UTC

In these days all applications are using, stored procedures, not inline queries. It's not possible SQL injections in .dot net applications , As I executed the burp suit on an application, burp found some SQL injection issues, but those are not SQL injection issues , burp inserted query to expose the database Following error was appearing : but The start_date parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the start_date parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present. Additionally, the payload '+(select*from(select(sleep(20)))a)+' was submitted in the start_date parameter. The application timed out when responding to the request, indicating that the injected SQL command caused a time delay. My concern is that this is not SQL injection issue server delayed in response due to single quotes and double quotes but burp still considering it as an SQL injection issue . why this is happening

Ben, PortSwigger Agent | Last updated: Jul 15, 2021 10:36AM UTC

Hi Sukhwinder, Are you able to send us some specific details of the requests that Burp is sending via email (you can send these to the support@portswigger.net address) so that we can see exactly what is happening?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.