Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp 2.0 beta - authentication does not seem to work

Jayant | Last updated: Sep 27, 2018 08:47PM UTC

I was trying out Burp 2.0 beta but am having trouble getting it past application authentication. I tried running a scan, filled login credentials in the New Scan dialog's Application Login. The credentials are correct - checked by logging in with browser. Is what I enter in the "Label" field of the New Login Credentials of any significance? It does not seem to get past authentication. What could I be missing?

PortSwigger Agent | Last updated: Sep 28, 2018 09:04AM UTC

Thanks for letting us know about this. If you disable JavaScript in your browser, are you able to login? The current version of the crawler does not support JavaScript. This is something we're going to add in future, once Burp 2 is out of beta. If login works without JavaScript, but Burp is unable to crawl it, it would be really helpful if you could share the HTML source of the login page. The label on credentials is just to help you keep track, it doesn't affect the crawl.

Burp User | Last updated: Oct 05, 2018 10:39PM UTC

Sorry for the delay. I 'think' the login works when JS is disabled. Meaning I do not get to the application main page after logging in when JS is disabled but after that if I re-enable JS and refresh it lets me in and shows the application main page. Is there a way to submit the html of the page privately? thanks,

PortSwigger Agent | Last updated: Oct 08, 2018 09:06AM UTC

Unfortunately the current version of the crawler will not be able to cover your application. We need to be able to see the content without JavaScript. What you can do is crawl the application manually, just like with Burp 1. You can then use the context menu to scan items from the site map. Please let us know if you need any further assistance.

Burp User | Last updated: Oct 15, 2018 05:37PM UTC

Unfortunately crawling the application manually is not an option as we want to be able to automate the scanning as part of acceptance testing. Neither can we 'disable or remove' application authentication temporarily or easily so as to have Burp scan for any vulnerabilities in rest of the application. I would imagine javascript based web apps to be fairly common. It would be great if you happen to know of anyone managed to achieve this using Burp (so the crawler can handle web form based authentication of a JS enabled application of its own) or any pointers. thanks Jayant

Burp User | Last updated: Oct 15, 2018 09:30PM UTC

A follow up question. I was trying to see if using the REST API might offer a way to do this. I understand in the current state most likely it might not help as the API just allows triggering scans while still using same crawler which has this limitation of dealing with JS enabled pages. I was thinking if you would consider adding support in the API to accept cookies besides login credentials in the form of username/password. That way the caller can login to the application outside of Burp, obtain the relevant session cookies and then supply them to Burp to use so it can SCAN the application. regards Jayant

PortSwigger Agent | Last updated: Oct 16, 2018 07:58AM UTC

Hi Jayant, I agree, being able to crawl JavaScript apps is an important feature. The API can't help with this - it doesn't expose any additional functionality beyond what's available in the UI. One other thing you can try is setting up a session handling rule , with the action "Set a specific cookie or parameter value". This will let you pass a hardcoded cookie to the crawl & scan. Let us know how you get on.

Burp User | Last updated: Oct 16, 2018 10:10PM UTC

Thanks Paul. That seems like it should work but looks like one would need to launch the UI and add the rule. It does not appear to be accessible programmatically which might not help. I anyway wanted to check if it remembers the setting (rule) across invocations in case we were to manually configure it once then it is preserved if Burp was restarted. However when I tried adding the rule, it presents a warning with some garbled message (some GUI level issue) and then Burp crashes. I have a screen shot but do not see a way to attach it. rgds, Jayant

PortSwigger Agent | Last updated: Oct 17, 2018 09:10AM UTC

Hi Jayant, Thanks for following up. Session rules are saved with project options. You can set them up in the UI, then save the options, and later use them from the command line with the --config-file switch. You can email the screenshot to support@portswigger.net Also, we'd be interested to know your debug ID, which is in User options > Misc > Performance Feedback.

Burp User | Last updated: Dec 10, 2019 08:17AM UTC

In the 'Details' tab of 'Sites' , We have provided the id of loginname and actual Username and Password fields we have provided the required data, Despite this we are quite sure that the scanner has not logged into our application. How can we solve this ?

Ben, PortSwigger Agent | Last updated: Dec 10, 2019 08:27AM UTC

Hi Sanket, What version of Burp are you currently using?

Burp User | Last updated: Dec 11, 2019 05:35PM UTC

Hi Ben, I am colleague of Sanket and we both are working together. I will add further information on what Sanket mentioned. so we are using burpsuite Enterprise version 1.4.04. currently we are in evaluation phase of burpsuite as automatic vulnerability scanner for our products. Our most of product needs java script enabled to login. So we would like to know whether is login possible for java script enabled website? if yes , then how we can achieve this. if no, then by when are you guys going to support it.

Liam, PortSwigger Agent | Last updated: Dec 12, 2019 08:25AM UTC

Ankit, do you have a copy of Burp Suite Pro to test out our new crawling feature? - http://releases.portswigger.net/2019/11/professional-2105.html

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.