Burp crawl and audit fails against the DVWA.
I'm using burp's crawl and audit scan to find as many issues in the DVWA as possible. However, the configured "Application login" fails to log in the application and perform an authenticated crawl and scan. The crawl configuration in "Login Functions" has both options checked and "Miscellaneous" configuration has "Submit forms" option checked as well. I would be grateful if you could provide guidance as to how to configure burp scan to perform an authenticated crawl and audit against the DVWA which would be initiated by crawling itself.
It seems that burp cannot handle csrf/redirect/sessionid combo correctly despite of having in "Audit Optimization" configuration these two options checked: "Automatically maintain..." and "Follow redirections...".
I hope the above helps.
Side question, is there a possible audit and/or crawl configuration/feature which would automatically detect that the web form in the "DVWA Security" can set different cookie values and that these values can/should be also used during the scan?
Hi, it sounds like Burp Suite is not finding the login page of the DVWA unless you have your Crawl Optimization > Crawl strategy set to ‘Most Complete’. You could confirm this by installing a request monitoring extension like Flow or Logger++ and then running the crawl with a strategy set to normal and see if the crawler tries to authenticate in the login page.
In regards to your point in which you can’t skip the crawling phase, once you have crawled the entire application you should be able to audit the site which has been populated in the site map, which would prevent you from having to crawl the application every time you want to scan.
In Project Options > Sessions > Cookie Jar, you can control how Burp updates the cookies it discovers from using different tools in the application. Is this what you are looking for?