Recorded login sequences
When configuring application logins for a scan, you can choose to import a recorded login sequence rather than just supplying basic user credentials. A recorded login sequence is essentially a set of instructions that tell Burp Scanner exactly how to log in to the website. Providing recorded login sequences allows Burp to successfully handle more complex login processes, including:
- Single sign-on
- Multi-step login where the username and password are not entered in the same form
- Login forms that contain extra fields, checkboxes, and so on.
To enable Burp to handle some of these cases, the crawler will temporarily be allowed to follow out-of-scope links that are necessary for performing the login sequence. However, these locations will not be crawled or audited as part of the scan.
You can create recorded login sequences quickly and easily using our dedicated Chrome extension. The extension captures your interactions with the website while you perform the login sequence manually in your browser. It automatically generates a JSON-based "script", which you can then import in the "Application login" section of the scan launcher. When the scan begins an authenticated crawl, it will open a new browser session and use this script to replicate your actions, performing the full login sequence from scratch.
Please be aware of the following limitations:
- Recorded logins are not compatible with two-factor authentication, character-select passwords, or CAPTCHA.
- When using recorded logins, Burp Scanner will not be able to self-register users or deliberately trigger login failures by submitting invalid credentials. As a result, any "Login functions" crawl settings from your scan configuration will be ignored.
Currently, Burp Scanner is unable to replay login sequences that rely on popups or
- Depending on your authentication system, the repeated logins made during the scan may be flagged as suspicious. This could trigger additional authentication steps or anti-robot measures that the crawler is unable to handle. In this case, we recommend running the scan on a test instance with these checks disabled.
- Recorded logins are only compatible with browser-powered scans using Burp's embedded browser. If Burp fails to initialize the embedded browser during the crawl, it will fall back to the previous crawler engine and ignore any recorded logins that you have created. You should check the event log and Embedded Browser Health Check tool (available from the "Help" menu) for details.
How to record a login sequence for Burp Scanner
To record a login sequence that Burp Scanner can use for authenticated crawls, you need to perform the following steps:
- Open Burp's embedded browser, or an external version of Chrome, and add the Burp Suite Navigation Recorder extension. Note that if you use the embedded browser, you will have to re-install the extension each time you open a new browser session.
- In the upper-right corner of the browser, click on the icon for the extension. When prompted, click "Open settings" and enable the "Allow in Incognito" option.
- Click on the extension again and select "Start recording". A new incognito window opens.
- In the incognito window, browse to the target website. A red outline indicates that the window is being recorded.
- Complete the login sequence that you want to capture. Make sure that you enter the credentials that you want Burp to use during scans.
- When you're done, click the extension icon again and select "Stop recording". The generated script is automatically copied to your clipboard. If you made a mistake, you can click the icon again to re-record the login sequence. If you accidentally lose the script from your clipboard, you can also copy the last recorded sequence.
- In Burp, go to the scan launcher and open the application login settings. Select the "Use recorded login sequences" option and click "New".
- Add a label to help you remember which login sequence this is. Finally, paste the data from your clipboard into the "Paste Script" field and click "OK". The recorded sequence is added to the list of application logins.
You can now repeat this process for each set of credentials that you want Burp to use. For example, you might record one login sequence in which you log in as a normal user and another sequence in which you log in as an administrator.