Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

OAuth authentication

Add a login sequencer Option Mar 06, 2019 11:08PM UTC

At the moment, burp enterprise does not support Authenticated scanning with OAUTH and SSO.

Going forward it is good to have a login sequence recorder to overcome such issues

Paul Johnston Mar 07, 2019 08:57AM UTC Support Center agent

I agree, this would be a good feature. This is on our development plan, although it may be a little while until we get to this.

In the meantime, if you include the identity provider within your scope, Burp may be able to treat it as a normal login form.

vasant Mar 07, 2019 10:43PM UTC
You mean, just add the identity provider's url to the scan scope?

Paul Johnston Mar 08, 2019 08:06AM UTC Support Center agent

Yes, that’s worth a try. We’d be interested to know how you get on with that.

vasant Mar 11, 2019 01:43AM UTC

I added the Oauth provider to the scope. However, It still doesn't work. Looks like scanner does not support any other forms of authentication like SSO/OAuth or NTLM. Without support for these authentication types, one cannot perform authenticated scans on their sites.

This has to be on your priority list.

Paul Johnston Mar 12, 2019 09:11AM UTC Support Center agent

Hi Vasant,

You can use NTLM authentication. It’s a little tricky to set up but I can provide instructions if needed.

Unfortunately OAuth is not on our priority list. We are aware a few people are unable to scan their sites because of this. It will probably be some months until we get to this.

Phil Pfalzgraf Apr 29, 2019 06:34PM UTC
I agree that this feature should be a top priority. In an enterprise environment, automated DAST really needs support for OAUTH and SSO in order to be useful in a CI/CD pipeline.


Rose Krawczuk Apr 30, 2019 10:01AM UTC Support Center agent

Hi Phil, we’ve made a note of your request in our development backlog.

TM Jun 27, 2019 01:30PM UTC
Is there any progress on OAuth integration for Burp. I come across this quite a lot during pentests and it would be handy to have the automated scanner part of Burp...

Liam Tai-Hogan Jun 28, 2019 10:20AM UTC Support Center agent

We have this feature on this years roadmap. We’ll update you when we release the feature.

Post Your public answer

Your name
Your email address