Identifying login and registration forms
Last updated: September 21, 2023
Read time: 2 Minutes
When crawling, Burp Scanner first identifies any forms that it believes to be login or registration forms. Any forms meeting all of the following criteria are added to the list:
- The form is a standard HTML form.
- The form contains an input field with the attribute
- The password field has a non-empty
Burp Scanner then attempts to distinguish registration forms from login forms. To do this, it applies a series of ordered criteria.
The registration form is:
- Whichever form has the most password fields.
- Whichever form has the most text fields.
- Whichever form has the most multi-value select fields.
- Whichever form has the most single-value select fields.
- Whichever form Burp Scanner found first.
For example, if two forms have an equal number of password fields, Burp Scanner next compares the number of text fields, and so on.
Why is Burp Scanner not filling in my login forms?
Burp Scanner identifies login and registration forms based on the password field. However, it only enters a username or email address if the related fields:
- Have a
- Have a non-empty
If the username field does not meet these conditions, then Burp Scanner can identify the form but is unable to enter the corresponding data.
What usernames does Burp Scanner submit?
Burp Scanner submits the username as provided in the following situations:
- The field has a
- The field has a
type=emailattribute and the username provided ends in an email domain.
If the field has a
type=email attribute but the username provided does not end in an email domain, then Burp Scanner submits the provided username with
Was this article helpful?
An error occurred, please try again.