Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

authent scan with client ssl

afs Oct 02, 2019 01:43AM UTC

I need to do authent scan for a website, I configure credential in user options, is it enough? do I need to configure session handling rules? do I need to configure browser to use burp root certificate? do I need to configure scan configuration to use credentials? do I need to configure client ssl in user option?


Liam Tai-Hogan Oct 03, 2019 09:48AM UTC Support Center agent

The configuration of a credentialed scan is largely down to the individual web application and how it behaves. The information below should help you decide what functionality is required to carry out your testing tasks.

You can provide platform level authentication (e.g. NTLM) under User options → Connections → Platform Authentication.

Burp 2 is now configured to automatically work with any session handling mechanism that browsers are able to deal with. There is no longer any need to configure session handling rules telling Burp how to obtain a session or verify that the current session is valid

You should always install Burp’s CA Certificate in order to make testing HTTPS applications more efficient. The details to carry out the installation are in the following link:

https://support.portswigger.net/customer/en/portal/articles/1783075-installing-burp-s-ca-certificate-in-your-browser

Credentials configured in the Application login section of the Scan Launcher will be submitted to any login functions discovered.

The Client SSL option allows you to authenticate using a specific SSL certificate that will be presented to a destination host when requested. This would only be required if the destination host has been configured to authenticate using SSL certificates so it is not always needed to be used. You can find more information about how Burp works with SSL in the following link:

https://portswigger.net/burp/documentation/desktop/options/ssl


Post Your public answer

Your name
Your email address
Answer