PROFESSIONAL

Recorded login sequences

When configuring application logins for a scan, you can choose to import a recorded login sequence rather than just supplying basic user credentials. A recorded login sequence is essentially a set of instructions that tell Burp Scanner exactly how to log in to the website. Providing recorded login sequences allows Burp to successfully handle more complex authentication mechanisms, including:

Note

To enable Burp to handle some of these cases, the crawler will temporarily be allowed to follow out-of-scope links that are necessary for performing the login sequence. However, these locations will not be crawled or audited as part of the scan.

You can create recorded login sequences quickly and easily using our dedicated Chrome extension. The extension captures your interactions with the website while you perform the login sequence manually in your browser. It automatically generates a JSON-based "script", which you can then import in the "Application login" section of the scan launcher. When the scan begins an authenticated crawl, it will open a new browser session and use this script to replicate your actions, performing the full login sequence from scratch.

Limitations for recorded login sequences

Please be aware of the following limitations before deciding to use recorded login sequences:

How to record a login sequence for Burp Scanner

To record a login sequence that Burp Scanner can use for authenticated crawls, you use the Burp Suite Navigation Recorder extension. This comes preinstalled and ready to use with Burp's embedded browser. If you prefer to work with an external browser, you need to manually install and configure the extension.

  1. Open Burp's embedded browser or an external version of Chrome on which you've installed the Burp Suite Navigation Recorder extension.
  2. Click on the extension again and select "Start recording". A new incognito window opens.
  3. In the incognito window, browse to the target website. A red outline indicates that the window is being recorded.
  4. Complete the login sequence that you want to capture. Make sure that you enter the credentials that you want Burp to use during scans.
  5. Perform the rest of the login sequence as required. Make sure that you finish on a page that will be in scope for your scan.
  6. When you're done, click the extension icon again and select "Stop recording". The generated script is automatically copied to your clipboard. If you made a mistake, you can click the icon again to re-record the login sequence. If you accidentally lose the script from your clipboard, you can also copy the last recorded sequence.
  7. In Burp, go to the scan launcher and open the application login settings. Select the "Use recorded login sequences" option and click "New".
  8. Add a label to help you remember which login sequence this is. Finally, paste the data from your clipboard into the "Paste Script" field and click "OK". The recorded sequence is added to the list of application logins.

You can now repeat this process for each set of credentials that you want Burp to use. For example, you might record one login sequence in which you log in as a normal user and another sequence in which you log in as an administrator.

Recording login sequences using an external browser

Instead of using Burp's embedded browser to record login sequences, you can use an external version of Chrome. You just need to perform a couple of quick steps to install and configure the extension.

  1. Open Chrome and add the Burp Suite Navigation Recorder extension.
  2. In the upper-right corner of the browser, click on the icon for the extension. When prompted, click "Open settings".
  3. On the extension settings page, use the switch to enable the "Allow in Incognito" option. You can now use this browser to record a login sequence.

How to test a recorded login sequence

After you save a recorded login sequence, you can replay it to check that the recording accurately captured your interactions with the browser. This is useful for checking that new recordings are working as expected and for troubleshooting existing ones that are failing during scans.

  1. Go to the scan launcher and open the application login settings. Select "Use recorded login sequences".
  2. Either upload a new recorded login sequence or load an existing one from your configuration library.
  3. Select the login sequence that you want to test and click the "Replay" button. Burp's embedded browser will open.
  4. In the embedded browser, you should see Burp automatically navigate to the target website and begin performing the login sequence that you recorded. This all happens fairly quickly. You should avoid any manual interaction with the browser while it is replaying the sequence as this could interfere with the test.
  5. When Burp finishes replaying the recording, it will pause on the final page for several seconds before closing the browser window. This should be long enough for you to see where the login sequence stopped. If everything worked correctly, this will be the page that you normally see after successfully logging in. Otherwise, it may provide clues as to which stage of the process is causing problems.

Troubleshooting recorded login sequences

You might find that Burp Scanner is sometimes unable to replay a recorded login sequence during the scan. Although this won't cause the scan to fail completely, it will prevent it from performing an authenticated crawl. There are several steps you can take to troubleshoot these issues.