Last updated: September 21, 2023
Read time: 2 Minutes
Both Burp Suite Professional and Burp Suite Enterprise Edition enable you to specify login credentials that Burp Scanner can use when scanning applications that use a single-step login mechanism. Specifying a valid username and password enables Burp Scanner to audit content that only authenticated users can usually see.
Adding a username and password is suitable for applications using simple login forms with two input fields. However, if your site uses a more complex login mechanism then you should use recorded login sequences instead of username and password-based login credentials, as Burp Scanner may be unable to log in otherwise.
You can only use one authentication method per scan. If you enter both login credentials and a recorded login sequence, the Burp Scanner ignores the login credentials provided.
How does Burp Scanner use login credentials?
Burp Scanner begins crawls with an unauthenticated phase in which it does not submit any credentials. This enables Burp Scanner to discover any login and self-registration functions within the application.
For more information on how Burp identifies login and self-registration forms, see Identifying login and registration forms.
If the application supports self-registration, Burp Scanner by default attempts to register a user at this point.
If the Trigger login failures scan configuration setting is enabled, Burp Scanner also attempts to submit bogus credentials to the site. Although these credentials cannot be used to log in, they might still reach interesting functions such as account recovery mechanisms.
If you select Crawl using my provided logins only from the Crawl Optimization section of the scan configuration, then Burp Scanner skips the unauthenticated phase of the crawl.
Next, Burp Scanner attempts an authenticated crawl. It visits the login function multiple times and attempts to login using:
- The credentials for the self-registered account (if applicable).
- The credentials you specify for any pre-existing account.
Burp Scanner logs in using each set of credentials in turn and crawls the content behind the login mechanism. This enables the system to capture the different functions that are available to different types of user.
The Login functions section of the crawling scan configuration enables you to configure aspects of Burp Scanner's behavior during authenticated crawls. You can configure:
- Whether Burp Scanner attempts to self-register a new user on the target website before performing the crawl.
- Whether Burp Scanner uses bogus credentials to deliberately trigger login failures.
Was this article helpful?
An error occurred, please try again.