Last updated: August 3, 2021
Read time: 6 Minutes
When configuring application logins for a scan, you can choose to import a recorded login sequence rather than just supplying basic user credentials. A recorded login sequence is essentially a set of instructions that tell Burp Scanner exactly how to log in to the website. Providing recorded login sequences allows Burp to successfully handle more complex authentication mechanisms, including:
To enable Burp to handle some of these cases, the crawler will temporarily be allowed to follow out-of-scope links that are necessary for performing the login sequence. However, these locations will not be crawled or audited as part of the scan.
You can create recorded login sequences quickly and easily using our dedicated Chrome extension. The extension captures your interactions with the website while you perform the login sequence manually in your browser. It automatically generates a JSON-based "script", which you can then import in the "Application login" section of the scan launcher. When the scan begins an authenticated crawl, it will open a new browser session and use this script to replicate your actions, performing the full login sequence from scratch.
Please be aware of the following limitations before deciding to use recorded login sequences:
To record a login sequence that Burp Scanner can use for authenticated crawls, you use the Burp Suite Navigation Recorder extension. This comes preinstalled and ready to use with Burp's embedded browser. If you prefer to work with an external browser, you need to manually install and configure the extension.
You can now repeat this process for each set of credentials that you want Burp to use. For example, you might record one login sequence in which you log in as a normal user and another sequence in which you log in as an administrator.
Instead of using Burp's embedded browser to record login sequences, you can use an external version of Chrome. You just need to perform a couple of quick steps to install and configure the extension.
After you save a recorded login sequence, you can replay it to check that the recording accurately captured your interactions with the browser. This is useful for checking that new recordings are working as expected and for troubleshooting existing ones that are failing during scans.
You might find that Burp Scanner is sometimes unable to replay a recorded login sequence during the scan. Although this won't cause the scan to fail completely, it will prevent it from performing an authenticated crawl. There are several steps you can take to troubleshoot these issues.