Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Scanning Website with Basic Auth

DC | Last updated: Jun 03, 2019 09:17PM UTC

I'm not sure if this is related to [1], but I'm trying to scan our dev site with Burp Suite Enterprise. The site is protected with basic auth (login is just a browser prompt). When I tried running a scan after adding the credentials to the Application Login section of the Sites page on the admin console, but it only scanned a single page so it doesn't look like it's actually working. I tried importing a JSON file from Burp Suite Pro after saving the credentials under Platform Authentication of the User Options tab, but it still doesn't seem to work. Any help would be appreciated. Thank you! [1]: https://support.portswigger.net/customer/portal/questions/17576010-scanning-a-site-with-platform-authentication-burp-suite-enterprise-rest-api-

PortSwigger Agent | Last updated: Jun 04, 2019 09:34AM UTC

Ok, you are on the right track, but you must configure the credentials within Project Options, not User Options. Let us know if this doesn't work or you need any more assistance.

Burp User | Last updated: Jun 04, 2019 09:11PM UTC

Thanks for clarifying about the Project Options tab. Sadly even after doing so, it's still showing as one page being crawled. I set the Destination Host as the IP of the application's server, but I should note that you can't actually access the application by just going to that IP in a web browser. You have to use the URL which is what I've put into Burp Suite Enterprises' Sites page. I tried passing the username and password in the following format: https://username:password@example.com/ and that bypassed the need to login when I tested it with Firefox and IE but Chrome still asked me for credentials. I'm not sure how Burp Suite's browser handles that kind of stuff, but the logs keep saying "authentication failure" for anything I do.

PortSwigger Agent | Last updated: Jun 05, 2019 08:50AM UTC

I'm not immediately sure why your setup isn't working. We've tested this approach for using basic auth, and it works correctly with Burp Enterprise in our labs. In general, if Burp Enterprise is having difficulty scanning something, I recommend first using Burp Pro to scan the app, as this provides more diagnostics. When that's working you can use the same configuration with Burp Enterprise.

Victor | Last updated: May 29, 2020 07:48AM UTC

Same issue here. We have tested the config in Burp Pro and it works, but when we import the JSON file into Burp Enterprise, it only crawls the first page. Any clue about the root cause?

Victor | Last updated: May 29, 2020 07:48AM UTC

Same issue here. We have tested the config in Burp Pro and it works, but when we import the JSON file into Burp Enterprise, it only crawls the first page. Any clue about the root cause?

Victor | Last updated: May 29, 2020 07:48AM UTC

Same issue here. We have tested the config in Burp Pro and it works, but when we import the JSON file into Burp Enterprise, it only crawls the first page. Any clue about the root cause?

Victor | Last updated: May 29, 2020 07:48AM UTC

Same issue here. We have tested the config in Burp Pro and it works, but when we import the JSON file into Burp Enterprise, it only crawls the first page. Any clue about the root cause?

Victor | Last updated: May 29, 2020 07:48AM UTC

Same issue here. We have tested the config in Burp Pro and it works, but when we import the JSON file into Burp Enterprise, it only crawls the first page. Any clue about the root cause?

Ben, PortSwigger Agent | Last updated: May 29, 2020 01:05PM UTC

Hi, Just to confirm that you are trying to use Basic authentication in Burp Enterprise? You can now do this natively within the latest versions of Burp Enterprise. If you navigate to Scan configurations from the main menu and then click the New configuration in the resulting Scan configurations page. This will allow you to create a new scan configuration - at the bottom of this page is the Connection -> Platform Authentication section where you can enter the Basic authentication details that you require.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.