Adding usernames and passwords
Last updated: September 14, 2023
Read time: 2 Minutes
If your target uses a basic username and password-based login system, you can specify login credentials for Burp Scanner to use when scanning the site. This enables Burp Scanner to log in to the target application and access content that only authenticated users can usually see.
Adding a username and password works well for simple login forms with only two input fields. However, if your target uses a more complex login mechanism then you should use recorded login sequences instead.
You cannot use both credential types on a single scan.
You can manage login credentials from the Application login tab of the scan launcher. From here, you can:
- Add new sets of credentials to the scan.
- Edit existing sets of credentials.
- Import sets of credentials from the configuration library.
Adding login credentials
To specify username and password login credentials when configuring a scan:
- From the scan launcher's Application login tab, make sure that Use login credentials (username & password) is selected.
- Click New to display the New Login Credentials dialog.
- Enter a unique Label to identify this set of login credentials.
- Enter the Username and Password.
- Click OK.
Burp Suite adds the specified credentials to the list. You can specify more than one set of login credentials for each scan.
Editing existing login credentials
To edit an existing credential set, select it and click Edit. You can edit the following details:
To delete an existing credential set, select it and click Delete.
There are some additional options relating to authenticated scanning in the Login Functions section of the crawl configuration.
From here, you can configure:
- Whether Burp Scanner attempts to self-register a new user on the target website before performing the crawl.
- Whether Burp Scanner uses invalid credentials to deliberately trigger login failures.
Was this article helpful?
An error occurred, please try again.