Last updated: July 20, 2021
Read time: 5 Minutes
When creating or editing a site in Burp Suite Enterprise Edition, you have the option to provide valid application logins that Burp Scanner should submit when it encounters any login forms on the site. This enables it to discover and audit content that is only accessible to authenticated users.
You have the following two options for providing application logins. Please note that you can only use one of these options per site.
If your site only has a basic, single-step login mechanism, you can simply add sets of usernames and passwords, along with a label to help identify them.
This works well for classic login forms with only 2 input fields. However, with this option selected, Burp Scanner will be unable to deal with more complex login mechanisms involving single sign-on, for example. In this case, we recommend importing a recorded login sequence to ensure maximum coverage for your scans.
A recorded login sequence is essentially a set of instructions that tell Burp Scanner exactly how to log in to the site. This enables it to handle more complex login mechanisms, including single sign-on.
You can create recorded login sequences quickly and easily using our dedicated Chrome extension. The extension captures your interactions with the website while you perform the login sequence manually in your browser. It automatically generates a JSON-based "script", which you can then import as an application login for your site. When the scan begins an authenticated crawl, it will open a new browser session and use this script to replicate your actions, performing the full login sequence from scratch.
Please be aware of the following limitations before deciding to use recorded login sequences:
To record a login sequence for Burp Suite Enterprise Edition to use during scans, you need to perform the following steps:
You can now repeat this process for each set of credentials that you want to use for scans of this site. For example, you might record one login sequence in which you log in as a normal user and another sequence in which you log in as an administrator.
In order for Burp Scanner to perform your recorded login sequences, it needs to use its embedded browser. Scans of any sites for which you have uploaded recorded login sequences will automatically use the embedded browser even if you have not enabled the "Use embedded browser for Crawl and Audit" option in your scan configuration.
You might sometimes find that Burp Scanner is unable to replay a recorded login sequence during a scan. Although this won't cause the scan to fail completely, it will prevent it from performing an authenticated crawl. There are several steps you can take to troubleshoot these issues.