Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Spider

Horst Dec 23, 2019 06:59PM UTC

Hello!

I urgently need your Help! I try to get all Sites from an Website, but apparently the restricted section of this Website is not shown in my SiteMap. Eventhough I am passing the Credentials to Burp while Scanning.

Thanks for your Help


Liam Tai-Hogan Dec 24, 2019 03:25PM UTC Support Center agent

Horst, which version of Burp are you using?

How are you passing the credentials to Burp?


Horst Dec 28, 2019 09:19AM UTC
I am using Burp Professional v2.1.04, and I am passing the credentials to Burp within a new Scan, while Scan and Audit with the Application Login part.

Hannah Law Jan 02, 2020 08:41AM UTC Support Center agent

Does the site you are attempting to scan use JavaScript in order to log in? If you disable JavaScript, are you still able to log in as normal?


Horst Jan 02, 2020 03:26PM UTC
yes, I disabled JavaScript and the website and the log in still worked.

Hannah Law Jan 02, 2020 03:34PM UTC Support Center agent

Is it a simple logon (ie just username and password) or are there other steps involved?

If you passively scan the website, are you able to see the traffic details come through your proxy and populate your sitemap? (New live task > Live passive crawl > Navigate website in your proxied browser)


Horst Jan 04, 2020 09:02AM UTC
Yes, it's just a simple login, I just need to provide username and password.
If I passively scan the website, the private content can be viewed.

Ben Wright Jan 06, 2020 11:01AM UTC Support Center agent

Hi,

Is the website that you are having issues with public-facing and, if so, are you able to give us details of the site (if you would prefer to do this by sending an email to support@portswigger.net then please feel free)?

There is a possibility that Burp is not recognizing the login page and, therefore, not applying the credentials during the crawl phase but if it is a simple username/password login with no JavaScript involved then this would seem unlikely. If you can provide us with further details of the site then we can investigate this.

If this is not going to be possible, then you could look to install the Logger++ extension, rerun the scan and monitor the requests that are being sent to check whether Burp is attempting to perform a login.


Post Your public answer

Your name
Your email address
Answer