Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Authenticated Scanning and Javascript crawling

Jyothsna | Last updated: Nov 05, 2019 12:44AM UTC

hi Portswigger, How can I create a new active scan that can either use a session handling rule or other means to run authenticated scan. My site doesn't use Basic Auth. It uses OAuth2.0 for Authentication. Also I want to enable Javascript crawling. I am using Burp Suite Professional 2.1.04. Thanks, --Jyothnsa

Ben, PortSwigger Agent | Last updated: Nov 05, 2019 10:08AM UTC

Hi Jyothnsa, Thank you for your message. Unfortunately, Burp does not currently support authentication using OAuth. We do have a feature request in our roadmap to support non-standard authentication (SSO, 2FA etc) but we cannot provide an ETA of when this will be released. I have associated your query with this feature request so that you will be informed when it is released. Having said that, have you looked in the BApp store for any Burp extensions that might provide this functionality? The Add Custom Header extension sounds like it might provide what you are looking for? We have just released Burp Suite Professional Version 2.1.05, which contains a new experimental embedded browser to crawl for JavaScript heavy applications, there is more information about this (and its current limitations) in the following link: http://releases.portswigger.net/2019/11/professional-2105.html The alternative is to manually crawl the website in order to populate the Site Map so that you can then perform an automated audit. Please let us know if you need any further assistance.

Ben, PortSwigger Agent | Last updated: Nov 13, 2019 03:13PM UTC

Hi Jyothsna, The following links provide some information on writing a Burp Extension: https://portswigger.net/burp/extender/writing-your-first-burp-suite-extension https://portswigger.net/burp/extender#SampleExtensions Please let us know if you require any further assistance.

Burp User | Last updated: Nov 15, 2019 12:41AM UTC

Is there some documentation that shows how to start to write a Burp Suite Extension?

Burp User | Last updated: Nov 20, 2019 11:33AM UTC

Hi team, how to do an authenticated scan over the burp suite v2.1.05.is there any articles to go through. Thanks and regards, Leelakishore. p

Ben, PortSwigger Agent | Last updated: Nov 20, 2019 11:34AM UTC

Hi Leelakishore, What authentication are you trying to carry out? Are you wanting to log into a site using a username/password to discover authenticated content or are you wanting to carry out platform authentication on a destination server to allow you to scan a web application?

Kamil | Last updated: May 24, 2021 01:54PM UTC

It's 2021 now and Burp (2021.5.1) has the ability to use a recorded logon process and does have an option to use a built-in browser for active crawling. The thing is, that it does not seem to work. I.e. Burp executes the recorded logon sequence and then barely uses authenticated calls to anything and is not able to detect any endpoints which are normally called by the authenticated app's JavaScript code (actually being accessed when the recorded logon sequence is run).

Ben, PortSwigger Agent | Last updated: May 25, 2021 01:17PM UTC

Hi Kamil, Is this the same issue that you are experiencing in the email that you have also sent us?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.