Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Why is the login failing despite giving proper credentials in Burp Enterprise Edition? Is there any extra setting required?

Shrimant | Last updated: Feb 24, 2020 12:57AM UTC

Hi, We are evaluating Burp Enterprise Edition to help us cover some valuable amount of security testing as a part of our CI. Before anything else, I tried to set up Burp Enterprise Edition and gave the URL of our application that requires to login and then expected the Burp Enterprise Edition's crawler to do the scanning for me inside it. However, later found that the login never succeeded. The credentials were valid and I was able to login manually. Can you please help us here as we this is a big road block for us to proceed further. Thanks, Shrimant

Liam, PortSwigger Agent | Last updated: Feb 24, 2020 10:48AM UTC

Shrimant, if you can provide some additional details about your login page we'll do our best to troubleshoot this issue. Does your login page use JavaScript? If so, you could try turning on the experimental version of our crawler.

Shrimant | Last updated: Feb 24, 2020 04:49PM UTC

Thanks for the fast response. Yes, our Login page does use Javascript for sign in, forget password, stay-signed in and for validation. By the way, when you specify "experimental version of our crawler", do you mean the crawler that is a part of the trial version of BURP Enterprise Edition that I have downloaded? If so, I believe, I had used the same after creating and configuring the 'site'.

Liam, PortSwigger Agent | Last updated: Feb 24, 2020 04:59PM UTC

No, we have released an experimental version of a new JavaScript crawling feature in Burp Suite Pro. - http://releases.portswigger.net/2019/11/professional-2105.html To use the experimental version in Burp Enterprise: First, ensure that you are using Burp Scanner version 2.1.06 in the Settings > Updates page. Next, turn on the experimental crawler feature in Burp Pro. Save the Scan configuration and import it into Burp Enterprise as demonstrated in this tutorial – https://support.portswigger.net/customer/portal/articles/2973443-using-burp-suite-enterprise-creating-a-custom-scan-configuration. This feature is still in the experimental phase. It doesn't currently work well with all sites. You should see improvements in some JavaScript-heavy apps. Let us know if this helps and please let us know if you need any further assistance.

Shrimant | Last updated: Feb 25, 2020 01:51AM UTC

Thanks, I will try this and run the scan again after that. Will revert accordingly.

Shrimant | Last updated: Feb 25, 2020 10:33PM UTC

"First, ensure that you are using Burp Scanner version 2.1.06 in the Settings > Updates page." For Burp Enterprise, when I go to Settings > Updates page, I see the Burp Scanner v2020.1 version. Burp Scanner version 2.1.06 is Burp Pro edition. Right? I thought Burp Enterprise Edition would be only required. Also, I had the chance to get in touch with our UI team and they said that our login page is a regular aspx page just like most of the regular sites. Are we looking at the correct edition of Burp? Can you please point out the correct edition here? By the way, I had configured the site as per your documentation: https://portswigger.net/burp/documentation/enterprise/reference/sites#site-configuration Can you point us to a demo or is there a way to set up a call with the Burp support team so as to have a clear understanding of our requirements? We are really looking forward to start off our evaluation of Burp Enterprise Edition. But it's been quite confusing with the initial steps itself.

Liam, PortSwigger Agent | Last updated: Feb 26, 2020 09:57AM UTC

Burp Enterprise and Burp Pro use the same crawl and scan engine. You can see the version of Burp Scanner your version of Enterprise is using on the Updates page. The latest version is listed on our website: - https://portswigger.net/burp/releases We would recommend using the latest version. I should have said version 2.1.06 onward in my original message. Once this is configured correctly, you should see improvements in how Burp Enterprise handles JavaScript applications. It's worth noting that once this feature is released as a full native feature, you won't have to perform this configuration. Support is normally provided via email only. However, if you email us at support@portswigger.net, I'll inform our Enterprise team that you require a call regarding the initial configuration.

Faraz | Last updated: May 23, 2021 12:01PM UTC

NOT ABLE TO LOGIN PLEASE HELP

Ben, PortSwigger Agent | Last updated: May 24, 2021 09:02AM UTC

Hi Faraz, Can you clarify what you are not able to login to?

Vishal | Last updated: Feb 07, 2023 04:59AM UTC

Hi Team, I am facing an issue where both enterprise edition and pro versions failed to login with recorded sequence as well as creds. I also noticed even I provide the creds to login, the burp pro trying its own random strings as username and password which is not expected. How can i proceed with that.

Ben, PortSwigger Agent | Last updated: Feb 07, 2023 10:01AM UTC

Hi Vishal, In the first instance, if you test your recorded login with Burp Professional, does it successfully login and end on the page that you are expecting it to? The following document details how to test your login sequences if you are unsure on how to carry this out: https://portswigger.net/burp/documentation/desktop/scanning/recorded-logins#how-to-test-a-recorded-login-sequence When using login credentials, Burp has a couple of default crawl settings enabled that will mean it both attempts to self-register a user and also attempts to trigger login failures (via invalid usernames) during the crawl phase of the scan (in addition to attempting to login with the credentials that you have supplied). You would need to disable these settings with the crawl configuration settings if you do not wish this activity to take place. The following screenshot illustrates this settings for you: https://snipboard.io/3BCbTl.jpg

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.