1. Support Center
  2. Documentation
  3. Enterprise Edition
  4. Working with Burp Suite Enterprise Edition
  5. Working with sites
  6. Adding application logins

Adding application logins to a site in Burp Suite Enterprise Edition

When creating or editing a site in Burp Suite Enterprise Edition, you have the option to provide valid application logins that Burp Scanner should submit when it encounters any login forms on the site. This enables it to discover and audit content that is only accessible to authenticated users.

You have the following two options for providing application logins. Please note that you can only use one of these options per site.

Add login credentials

If your site only has a basic, single-step login mechanism, you can simply add sets of usernames and passwords, along with a label to help identify them.

This works well for classic login forms with only 2 input fields. However, with this option selected, Burp Scanner will be unable to deal with more complex login mechanisms involving single sign-on, for example. In this case, we recommend importing a recorded login sequence to ensure maximum coverage for your scans.

Add recorded login sequences

A recorded login sequence is essentially a set of instructions that tell Burp Scanner exactly how to log in to the site. This enables it to handle more complex login mechanisms, including single sign-on.

You can create recorded login sequences quickly and easily using our dedicated Chrome extension. The extension captures your interactions with the website while you perform the login sequence manually in your browser. It automatically generates a JSON-based "script", which you can then import as an application login for your site. When the scan begins an authenticated crawl, it will open a new browser session and use this script to replicate your actions, performing the full login sequence from scratch.

Limitations for recorded login sequences in Burp Suite Enterprise Edition

Please be aware of the following limitations before deciding to use recorded login sequences:

How to record a login sequence for Burp Suite Enterprise Edition

To record a login sequence for Burp Suite Enterprise Edition to use during scans, you need to perform the following steps:

  1. Open your Chrome browser and add the Burp Suite Navigation Recorder extension.
  2. In the upper-right corner of the browser, click on the icon for the extension. When prompted, click "Open settings" and enable the "Allow in Incognito" option.
  3. Click on the extension again and select "Start recording". A new incognito window opens.
  4. In the incognito window, browse to the target website. A red outline indicates that the window is being recorded.
  5. Complete the login sequence that you want to capture. Make sure that you enter the credentials that you want Burp Suite Enterprise Edition to use during scans.
  6. Perform the rest of the login sequence as required. Make sure that you finish on a page that will be in scope for scans of this site.
  7. When you're done, click the extension icon again and select "Stop recording". The generated script is automatically copied to your clipboard. If you made a mistake, you can click the icon again to re-record the login sequence. If you accidentally lose the script from your clipboard, you can also copy the last recorded sequence.
  8. In Burp Suite Enterprise Edition, create a new site or go to the "Details" tab for an existing site. Under "Application Logins". Select the "Add recorded login sequences" option.
  9. Add a label to help you remember which login sequence this is. Finally, paste the data from your clipboard into the "Paste Script" field and click "OK". The recorded sequence is added to the list of application logins.

You can now repeat this process for each set of credentials that you want to use for scans of this site. For example, you might record one login sequence in which you log in as a normal user and another sequence in which you log in as an administrator.

Note

In order for Burp Scanner to perform your recorded login sequences, it needs to use its embedded browser. Scans of any sites for which you have uploaded recorded login sequences will automatically use the embedded browser even if you have not enabled the "Use embedded browser for Crawl and Audit" option in your scan configuration.

Troubleshooting recorded login sequences for Burp Suite Enterprise Edition

You might sometimes find that Burp Scanner is unable to replay a recorded login sequence during a scan. Although this won't cause the scan to fail completely, it will prevent it from performing an authenticated crawl. There are several steps you can take to troubleshoot these issues.