Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Burp crawl and audit fails against the DVWA.

Burp user Oct 19, 2019 12:28AM UTC

Hi,

I'm using burp's crawl and audit scan to find as many issues in the DVWA as possible. However, the configured "Application login" fails to log in the application and perform an authenticated crawl and scan. The crawl configuration in "Login Functions" has both options checked and "Miscellaneous" configuration has "Submit forms" option checked as well. I would be grateful if you could provide guidance as to how to configure burp scan to perform an authenticated crawl and audit against the DVWA which would be initiated by crawling itself.

Thanks


Burp user Oct 19, 2019 12:29AM UTC
It seems that I'm not the only user observing this behaviour. The following thread seems to be strictly related: https://support.portswigger.net/customer/portal/questions/17631025-crawl-and-audit-scan-with-authentication .

Burp user Oct 19, 2019 01:05AM UTC
From what I can see, burp sends a proper authentication request but the subsequent stages are not using a valid session.

It seems that burp cannot handle csrf/redirect/sessionid combo correctly despite of having in "Audit Optimization" configuration these two options checked: "Automatically maintain..." and "Follow redirections...".

I hope the above helps.

Burp user Oct 19, 2019 06:44AM UTC
I was able to finally find the settings which performed an authenticated crawl and audit. With the crawl strategy set to "most complete" and audit accuracy set to "normal" burp worked as expected. This however is far from optimal, i.e. if the user wants to perform an authenticated audit only there's no option to skip crawling phase and the time for a scan extends drastically. Not too mention the fact, that changing these parameters should skip authenticated crawl/audit altogether without notifying the user.

Side question, is there a possible audit and/or crawl configuration/feature which would automatically detect that the web form in the "DVWA Security" can set different cookie values and that these values can/should be also used during the scan?

Mike Eaton Oct 21, 2019 10:50AM UTC Support Center agent

Hi, it sounds like Burp Suite is not finding the login page of the DVWA unless you have your Crawl Optimization > Crawl strategy set to ‘Most Complete’. You could confirm this by installing a request monitoring extension like Flow or Logger++ and then running the crawl with a strategy set to normal and see if the crawler tries to authenticate in the login page.

In regards to your point in which you can’t skip the crawling phase, once you have crawled the entire application you should be able to audit the site which has been populated in the site map, which would prevent you from having to crawl the application every time you want to scan.

In Project Options > Sessions > Cookie Jar, you can control how Burp updates the cookies it discovers from using different tools in the application. Is this what you are looking for?


Post Your public answer

Your name
Your email address
Answer