Get involved in the Burp challenge for opportunities to test your skills and win swag  –   Challenge me

ENTERPRISE

Adding recorded login sequences

  • Last updated: November 11, 2022

  • Read time: 4 Minutes

A recorded login sequence is a set of instructions that tell Burp Scanner how to log in to a particular site. Recorded login sequences enable Burp Scanner to audit content that only authenticated users can usually see, even on sites that use complex login mechanisms such as Single Sign-On. This section explains how to record a login sequence and then add it to a new or existing site.

Note

If your site uses a basic username and password-based authentication mechanism, you should consider adding username and password credentials rather than adding a recorded login sequence. Using username and password credentials can improve scan times and reduce the likelihood of errors. You cannot use both authentication methods on a single site in Burp Suite Enterprise Edition.

Preparing the Burp Suite Navigation Recorder extension

Before you can record a login sequence, you must first install the Burp Suite Navigation Recorder Chrome extension and configure it to run in incognito mode.

To install and configure the extension:

  1. Open Chrome and navigate to the Burp Suite Navigation Recorder extension page.
  2. Click Add to Chrome.
  3. In the dialog box, click Add extension to install the extension.
  4. Click the extension icon on the Chrome toolbar to open the extension menu.
  5. Click Manage extensions to display the Extensions page.
  6. In the Burp Suite Navigation Recorder tile, click Details.
  7. Select Allow in incognito.

Recording a login sequence in Burp Suite Enterprise Edition

Note

Before attempting to record a login sequence, make sure that you have read Best practice for recording login sequences in Burp Suite Enterprise Edition. These tips can help you to avoid some common errors made when recording complex authentication sequences.

To record a login sequence:

  1. Make sure that you have installed the Burp Suite Navigation Recorder Chrome extension and set it to run in incognito mode. For more information, see Preparing the Burp Suite Navigation Recorder extension.
  2. Click the extension icon on the Chrome toolbar and select Burp Suite Navigation Recorder.
  3. At the prompt, click Start recording. A new incognito window opens.
  4. In the incognito window, browse to the target website.
  5. Complete the login sequence that you want to capture.
  6. When you're done, click the extension icon, select Burp Suite Navigation Recorder, and click Stop recording.

The extension automatically copies the generated script to your clipboard. You can re-copy the script by selecting the extension icon and selecting Copy to clipboard.

You can repeat this process for each set of credentials that you want to use for scans of this site. For example, you might record one login sequence in which you log in as a normal user and another sequence in which you log in as an administrator.

Note

Burp Scanner always uses Burp's browser to perform recorded login sequences when scanning, even if you have not selected Use Burp's browser for Crawl and Audit in your scan configuration.

Adding recorded login sequences to Burp Suite Enterprise Edition

Once you have recorded a login sequence, you're ready to add it to Burp Suite Enterprise Edition.

Add a recorded login sequence to a new site

To add a recorded login sequence when you create a new site:

  1. On the top menu, select Sites > Add a new site to display the Create a new site page.
  2. In the Scan settings section, select the Application logins tab.
  3. Select the Upload recorded login sequences radio button.
  4. Click Add a recorded login.
  5. In the dialog box, enter a unique Label to identify this recorded login.
  6. Paste the login script into the Paste script field.
  7. Click Save.

Note

Burp Scanner always uses Burp's browser to perform recorded login sequences when scanning, even if you have not selected Use Burp's browser for Crawl and Audit in your scan configuration.

Add a recorded login sequence to an existing site

To add a recorded login sequence to an existing site:

  1. On the top menu, select Sites to display the site tree.
  2. Select the site you want to set up notifications for.
  3. Select the Details tab and click Edit.
  4. In the Scan settings section, select the Application logins tab.
  5. Select the Upload recorded login sequences radio button.
  6. Click Add a recorded login.
  7. In the dialog box, enter a unique Label to identify this recorded login.
  8. Paste the login script into the Paste script field.
  9. Click Save to close the dialog box.
  10. Click Save.

To add an additional recorded login, click the plus button and repeat steps 7 to 9.

To delete a recorded login, click the trash icon .

Reviewing a recorded login sequence

When you run a health check, Burp Suite Enterprise Edition captures images from your recorded login sequences. You can review the images from each sequence, to make sure that they successfully log in to the site.

Note

For security reasons, you need permission to view recorded logins.

To grant users permission to view recorded logins, an admin user needs to:

  1. Create a new role that has permission to View site application login details.
  2. Create a new group that contains the new role, the appropriate users, and any site restrictions.
  3. Ask the users to sign out and sign in again, for the changes to take effect.

To review your recorded login sequences:

  1. From the Sites menu, select a site.
  2. In the Health Status menu, click Run health check. Wait for the health check to complete.
  3. Expand the Health status menu and go to the Recorded logins tab.

  4. To review a specific recorded login sequence, click Review replay.
  5. Review the images of the recorded login replay, to make sure that the login is successful.

Note

You will see an error message if there is an error with the script for the recorded login.

Recorded login images are only stored for 14 days. After this period, you need to run a new health check in order to review your login sequence.

Was this article helpful?