1. Support Center
  2. Documentation
  3. Desktop editions
  4. Scanning web sites
  5. Recorded logins

Recorded login sequences

When configuring application logins for a scan, you can choose to import a recorded login sequence rather than just supplying basic user credentials. A recorded login sequence is essentially a set of instructions that tell Burp Scanner exactly how to log in to the website. Providing recorded login sequences allows Burp to successfully handle more complex login processes, including:

Note

To enable Burp to handle some of these cases, the crawler will temporarily be allowed to follow out-of-scope links that are necessary for performing the login sequence. However, these locations will not be crawled or audited as part of the scan.

You can create recorded login sequences quickly and easily using our dedicated Chrome extension. The extension captures your interactions with the website while you perform the login sequence manually in your browser. It automatically generates a JSON-based "script", which you can then import in the "Application login" section of the scan launcher. When the scan begins an authenticated crawl, it will open a new browser session and use this script to replicate your actions, performing the full login sequence from scratch.

Please be aware of the following limitations:

How to record a login sequence for Burp Scanner

To record a login sequence that Burp Scanner can use for authenticated crawls, you need to perform the following steps:

  1. Open Burp's embedded browser, or an external version of Chrome, and add the Burp Suite Navigation Recorder extension. Note that if you use the embedded browser, you will have to re-install the extension each time you open a new browser session.
  2. In the upper-right corner of the browser, click on the icon for the extension. When prompted, click "Open settings" and enable the "Allow in Incognito" option.
  3. Click on the extension again and select "Start recording". A new incognito window opens.
  4. In the incognito window, browse to the target website. A red outline indicates that the window is being recorded.
  5. Complete the login sequence that you want to capture. Make sure that you enter the credentials that you want Burp to use during scans.
  6. When you're done, click the extension icon again and select "Stop recording". The generated script is automatically copied to your clipboard. If you made a mistake, you can click the icon again to re-record the login sequence. If you accidentally lose the script from your clipboard, you can also copy the last recorded sequence.
  7. In Burp, go to the scan launcher and open the application login settings. Select the "Use recorded login sequences" option and click "New".
  8. Add a label to help you remember which login sequence this is. Finally, paste the data from your clipboard into the "Paste Script" field and click "OK". The recorded sequence is added to the list of application logins.

You can now repeat this process for each set of credentials that you want Burp to use. For example, you might record one login sequence in which you log in as a normal user and another sequence in which you log in as an administrator.