Recorded login sequences
Last updated: September 21, 2023
Read time: 2 Minutes
When configuring application logins for a scan, you can import a recorded login sequence rather than supplying basic user credentials. A recorded login sequence is a set of instructions that tell Burp Scanner how to log in to the website.
Recorded login sequences enable Burp to handle complex authentication mechanisms, including:
- Single sign-on.
- Multi-step logins in which the username and password are not entered in the same form.
- Login forms that contain, for example, extra fields or checkboxes.
When running a recorded login sequence, Burp Scanner can temporarily follow any out-of-scope links that are necessary to perform the login sequence. However, these locations are not crawled or audited as part of the scan.
Recorded login sequences are especially useful if you are using Burp Suite Enterprise Edition to automate scanning across a large application portfolio. In this case, you may be able to record an application's login sequence once and re-use it multiple times.
Using recorded login sequences
To record your login sequences, use the Burp Suite Navigation Recorder. This Chrome extension captures your interactions with the website while you perform the login sequence manually. It then generates a JSON-based "script" that you can import into Burp Suite Professional or Burp Suite Enterprise Edition.
We recommend that you read the Best practice for recording login sequences documentation before attempting to record a login sequence. This page contains advice that should help you to record login sequences that work first time.
The next time Burp Scanner performs an authenticated crawl, it opens a new browser session and uses this script to perform the full login sequence.
Was this article helpful?
An error occurred, please try again.