ENTERPRISE

Adding recorded login sequences

  • Last updated: August 12, 2022

  • Read time: 3 Minutes

A recorded login sequence is a set of instructions that tell Burp Scanner how to log in to a particular site. Recorded login sequences enable Burp Scanner to audit content that only authenticated users can usually see, even on sites that use complex login mechanisms such as Single Sign-On. This section explains how to record a login sequence and then add it to a new or existing site.

Note

If your site uses a basic username and password-based authentication mechanism, you should consider adding username and password credentials rather than adding a recorded login sequence. Using username and password credentials can improve scan times and reduce the likelihood of errors. You cannot use both authentication methods on a single site in Burp Suite Enterprise Edition.

Preparing the Burp Suite Navigation Recorder extension

Before you can record a login sequence, you must first install the Burp Suite Navigation Recorder Chrome extension and configure it to run in incognito mode.

To install and configure the extension:

  1. Open Chrome and navigate to the Burp Suite Navigation Recorder extension page.
  2. Select Add to Chrome.
  3. In the dialog box, select Add extension to install the extension.
  4. Click the extension icon on the Chrome toolbar to open the extension menu.
  5. Select Open settings to display the extension options page.
  6. Set Allow in incognito.

Recording a login sequence in Burp Suite Enterprise Edition

Note

Before attempting to record a login sequence, make sure that you have read Best practice for recording login sequences in Burp Suite Enterprise Edition. These tips can help you to avoid some common errors made when recording complex authentication sequences.

To record a login sequence:

  1. Make sure that you have installed the Burp Suite Navigation Recorder Chrome extension and set it to run in incognito mode. For more information, see Preparing the Burp Suite Navigation Recorder extension.
  2. Click the extension icon on the Chrome toolbar and select Start recording. Chrome opens a new incognito window.
  3. In the incognito window, browse to the target website.
  4. Complete the login sequence that you want to capture.
  5. When you're done, click the extension icon again and select Stop recording.

The extension automatically copies the generated script to your clipboard. You can re-copy the script by selecting the extension icon and selecting Copy to clipboard.

You can repeat this process for each set of credentials that you want to use for scans of this site. For example, you might record one login sequence in which you log in as a normal user and another sequence in which you log in as an administrator.

Note

Burp Scanner always uses Burp's browser to perform recorded login sequences when scanning, even if you have not selected Use Burp's browser for Crawl and Audit in your scan configuration.

Adding recorded login sequences to Burp Suite Enterprise Edition

Once you have recorded a login sequence, you're ready to add it to Burp Suite Enterprise Edition.

Add a recorded login sequence to a new site

To add a recorded login sequence when you create a new site:

  1. On the top menu, select Sites > Add a new site to display the Create a new site page.
  2. In the Scan settings section, select the Application logins tab.
  3. Select the Upload recorded login sequences radio button.
  4. Click Add a recorded login.
  5. In the dialog box, enter a unique Label to identify this recorded login.
  6. Paste the login script into the Paste script field.
  7. Click Save.

Note

Burp Scanner always uses Burp's browser to perform recorded login sequences when scanning, even if you have not selected Use Burp's browser for Crawl and Audit in your scan configuration.

Add a recorded login sequence to an existing site

To add a recorded login sequence to an existing site:

  1. On the top menu, select Sites to display the site tree.
  2. Select the site you want to set up notifications for.
  3. Select the Details tab and click Edit.
  4. In the Scan settings section, select the Application logins tab.
  5. Select the Upload recorded login sequences radio button.
  6. Click Add a recorded login.
  7. In the dialog box, enter a unique Label to identify this recorded login.
  8. Paste the login script into the Paste script field.
  9. Click Save to close the dialog box.
  10. Click Save.

To add an additional recorded login, click the plus button and repeat steps 7 to 9.

To delete a recorded login, click the trash icon .

Was this article helpful?