Best practice for recording login sequences
Last updated: November 25, 2022
Read time: 3 Minutes
While the Burp Suite Navigation Recorder Chrome extension is easy to use in itself, successfully recording a login sequence for a sophisticated authentication mechanism can be a complex process.
We have compiled some advice that should help you when recording your login sequences.
Limitations of recorded login sequences
Although recorded login sequences are intended to handle a wide variety of login mechanisms, they do have some limitations:
- Recorded logins are only compatible with browser-powered scans. If Burp Scanner cannot initialize its browser then the scan cannot start.
- Burp Scanner cannot self-register users or deliberately trigger login failures by submitting invalid credentials as part of a login sequence. As a result, any "Login functions" crawl settings from your scan configuration are ignored.
- Your authentication system may flag repeated logins made during the scan as suspicious. This in turn could trigger additional authentication steps or anti-robot measures that the crawler is unable to handle. In this case, we recommend running the scan on a test instance with these checks disabled.
- Recorded logins are not compatible with two-factor authentication, character-select passwords, or CAPTCHA.
Recorded logins do not support CAPTCHA because CAPTCHA systems are specifically designed to deny automated systems such as our recorded login tool. Adding support would likely result in CAPTCHA providers patching the methods we would use to bypass the CAPTCHA mechanism, potentially creating a cycle of us finding CAPTCHA vulnerabilities and providers patching them out.
Tips for recording successful login sequences
These tips will help you to create recorded login sequences that work first time:
- Check the list of limitations for recorded login sequences to make sure that the authentication process for your target application is compatible with Burp Suite's recorded logins.
- If the application uses a basic, single-step HTML login form, consider adding login credentials rather than using a recorded login sequence. Using simple login credentials wherever possible can result in faster scanning.
- After the login process is complete, end the sequence without clicking on any other links or logging out. The recorded login sequence is designed to perform the login process only. Any additional navigation is automatically handled by Burp Scanner as part of its crawl phase.
- Wait for pages and elements to finish loading completely before performing the next action.
- Avoid any unnecessary actions such as additional mouse clicks. Burp Scanner repeats all the actions you record.
- Use mouse clicks (rather than keyboard shortcuts) to interact with all elements on the page. This tip applies even for fields that are automatically selected.
- Recorded login sequences are intended to handle web application authentication only. If the destination server requires platform authentication, such as Microsoft NTLM, then you should enter these credentials separately. You can set platform authentication credentials as part of a custom scan configuration.
- Make sure that the login sequence finishes on a page that is in scope for scans of this site. Although the crawler can follow out-of-scope links during the login process, the login sequence must end on a page that is in scope.
Troubleshooting recorded login sequences for Burp Suite Enterprise Edition
If Burp Scanner is unable to replay a recorded login sequence during a scan then it will not be able to perform an authenticated crawl. However, the scan will still run.
If your login sequence does not break any of the limitations for recorded login and you have followed all of the best practice tips listed above, then you should download the event log for the scan. The log error messages could tell you whether the issue was with the login sequence itself or whether there was a general issue with the browser.
Some log entries may represent temporary failures that were later resolved. For example, if the target site imposes rate limits, you might see entries saying that the crawler was unable to log in. However, it may have logged in successfully later in the scan.
Was this article helpful?
An error occurred, please try again.