Your agentic AI partner in Burp Suite - Discover Burp AI now            Read more
Research Academy
My account Customers About Blog Careers Legal Contact Resellers

DAST

Using recorded logins

  • Last updated: October 30, 2025

  • Read time: 6 Minutes

A recorded login sequence is a set of instructions that tell Burp Scanner how to log in to a particular web app. Recorded login sequences enable Burp Scanner to audit content that only authenticated users can usually see, even on web apps that use complex login mechanisms such as Single Sign-On.

This section explains how to add login sequences to a new or existing site. For information on how to record the sequences themselves, see Recording login sequences (Scanner).

Note

If your web app uses a basic username and password-based authentication mechanism, you should consider adding username and password credentials rather than adding a recorded login sequence. Using username and password credentials can improve scan times and reduce the likelihood of errors. You cannot use both authentication methods on a single web app in Burp Suite DAST.

Status checker

If you want to make sure Burp Scanner can access authenticated content, use the status checker to check that Burp Scanner stays logged in throughout the scan. The status checker periodically checks the URL you specify and looks for text that only appears if you're still logged in.

If the status checker detects that authentication has failed during the scan, it will show you a message to help you understand and fix the issue. If the status checker fails during a pre-scan check, you can also see a screenshot and the HTTP response.

You can configure the status checker when you add a recorded login.

Confirmation text options

In the Confirmation text field, you can use plain text, XPath expressions, or CSS selectors to identify elements that confirm you're logged in. This is particularly useful if you scan single page applications, because it enables you to target specific page elements.

Here are some examples of confirmation text you can use:

  • Plain text: Welcome back - Looks for this text anywhere on the page.
  • CSS selector: a[href="/account"] - Looks for a link to an account page.
  • XPath selector: //button[text()='Log out'] - Looks for a "Log out" button.

Finding CSS or XPath selectors

Using CSS or XPath selectors can make status checks more reliable, especially on dynamic sites. They enable Burp Scanner to target specific elements that only appear when you're logged in, instead of relying on visible text.

You can identify CSS or XPath selectors for your confirmation text by using your browser's developer tools.

To find a CSS selector:

  1. Open your site in your browser.
  2. Right-click the element you want Burp Scanner to look for, and select Inspect.
  3. In the developer tools panel, make sure the correct element is highlighted.
  4. Right-click the highlighted code, and select Copy > Copy selector.
  5. Paste the selector into the Confirmation text field in Burp Suite DAST.

To find an XPath selector:

  1. Open your site in your browser.
  2. Right-click the element you want Burp Scanner to look for, and select Inspect.
  3. In the developer tools panel, make sure the correct element is highlighted.
  4. Right-click the highlighted code, and select Copy > Copy XPath.
  5. Paste the XPath into the Confirmation text field in Burp Suite DAST.

Note

If both selector types are available, use the CSS selector. CSS selectors are generally shorter, easier to read, and work well with most modern web apps.

Adding recorded logins

You can add a recorded login to new or existing sites, with or without configuring the status checker.

Adding recorded logins to new sites

To add a recorded login sequence when you add a new web app site:

  1. On the top menu, select Sites > Add a new site to display the Create a new site page.
  2. In the Scan settings section, select Authentication > Application logins.
  3. Select Recorded login sequences.
  4. Click Add a recorded login sequence.
  5. In the dialog box, enter a unique Label to identify this recorded login.
  6. Paste the login script into the Paste script field.

  7. Configure the status checker to monitor authentication during the scan:

    • Click the Status checker tab.
    • In the URL field, enter a URL where Burp Scanner can check that you're still logged in.
    • In the Confirmation text field, enter text that the scanner can look for to confirm you're logged in.
  8. Click Finish to close the dialog box.
  9. Click Save. The recorded sequence is added to the list of application logins for the site.

Note

Burp Scanner always uses Burp's browser to perform recorded login sequences when scanning, even if you have not selected Use Burp's browser for crawl and audit in your scan configuration.

Adding recorded logins to existing sites

To add a recorded login sequence for an existing web app:

  1. On the top menu, select Sites to display the site tree.
  2. Select the web app site you want to set up notifications for.
  3. Select the Details tab and click Edit.
  4. In the Scan settings section, select Authentication > Application logins.
  5. Select Recorded login sequences.
  6. Click Add a recorded login sequence.
  7. In the dialog box, enter a unique Label to identify this recorded login.
  8. Paste the login script into the Paste script field.

  9. Configure the status checker to monitor authentication during the scan:

    • Click the Status checker tab.
    • In the URL field, enter a URL where Burp Scanner can check that you're still logged in.
    • In the Confirmation text field, enter text that the scanner can look for to confirm you're logged in.
  10. Click Finish to close the dialog box.
  11. Click Save. The recorded sequence is added to the list of application logins for the site.

To add another recorded login, click the plus button and repeat steps 7 to 9.

To delete a recorded login, click the trash icon .

Reviewing a recorded login

When you run a pre-scan check, Burp Suite DAST captures images from your recorded login sequences. You can review the images from each sequence, to make sure that they successfully log in to the site.

Note

To view a recorded login sequence, you need permission for the site to View site application login details. For more information, see Role-based access control.

To grant users permission to view recorded logins, an admin user needs to:

  1. Create a new role that has permission to View sites, View site details, and View site application login details.
  2. If the role also needs to enable users to run pre-scan checks, give permission to Edit sites and folders.
  3. Create a new group that contains the new role, the appropriate users, and any site restrictions.
  4. Ask the users to sign out and sign in again, for the changes to take effect.

To review your recorded login sequences:

  1. From the Sites menu, select a web app site.
  2. In the Pre-scan check menu, click Run pre-scan check. Wait for the pre-scan check to complete.

  3. Expand the Pre-scan check menu and go to the Recorded logins tab.

  4. To review a specific recorded login sequence, click Review replay.
  5. Review the images of the recorded login replay, to make sure that the login is successful.

Note

You will see an error message if there is an error with the script for the recorded login or the status checker.

Recorded login images are only stored for 14 days. After this period, you need to run a new pre-scan check in order to review your login sequence.

If the status checker fails, you can view a screenshot of the page where Burp Scanner looked for your confirmation text:

  1. Click Recorded logins.
  2. Next to Status, click View response.
  3. An image of the page and the HTTP response are displayed. Click Download to save a copy of the HTTP response.

Editing recorded logins

You can edit existing recorded login sequences without having to delete and recreate them. This is useful when you need to update authentication credentials, modify the login script, or adjust the status checker settings.

Note

To edit a recorded login sequence, you need permissions for the site to View site application login details and Edit site application logins. For more information, see Role-based access control.

To edit a recorded login sequence:

  1. Select the site's Details tab and click Edit.
  2. In Scan settings > Authentication, click the pencil icon next to the recorded login sequence you want to modify.
  3. In the Edit recorded login dialog, update the JSON-based script that contains the recorded actions if necessary. You can also change the label for the recorded login.
  4. Click Next.
  5. Modify the URL and confirmation text used to verify the authentication status during scans.
  6. Click Finish to close the dialog box.
  7. Click Save to apply your changes.

Related pages