Best practice for recording login sequences

COMPANYPROFESSIONAL

Burp Suite Enterprise Edition’s recorded login sequence feature allows you to provide credentials that Burp Scanner can use when performing authenticated scans for applications with complex login mechanisms.

While the Burp Suite Navigation Recorder Chrome extension is easy to use in itself, successfully recording a login sequence for a sophisticated authentication mechanism can be a complex process.

We’ve put together some tips to help you successfully record login sequences.

Restrictions on recorded login sequences

Although recorded login sequences are intended for a variety of login mechanisms, they have some limitations:

• Recorded logins are only compatible with browser-based scans. If Burp Scanner fails to initialize its browser, the authenticated scan fails to start.

• Burp Scanner cannot self-enroll users or intentionally trigger login failures by submitting invalid credentials in conjunction with a recorded login sequence. As a result, Burp Scanner ignores all of them login features Crawl settings from your scan configuration when using recorded logins.

• Your authentication system may flag repeated logins as suspicious during the scan. This, in turn, could trigger additional authentication steps or anti-robot measures that the crawler cannot handle. In this case, we recommend running the scan on a test instance with checks disabled.

• Recorded logins are not compatible with two-factor authentication, character-based passwords, or CAPTCHA.

Tips for recording successful login sequences

These tips will help you create recorded login sequences that work the first time:

• Review the list of limitations above to ensure the authentication process for your target application is compatible with Burp Suite’s recorded logins.

• If the application uses a simple, one-step HTML login form, consider adding credentials instead of using a recorded login sequence. Using simple credentials wherever possible can result in faster scanning.

• After the login process is complete, exit the sequence without clicking any other links or logging out. The recorded login sequence is only used to complete the login process. Any additional navigation is automatically performed by the Burp Scanner as part of its crawl phase.

• Wait for the pages and items to fully load before taking the next action.

• Avoid unnecessary actions like extra mouse clicks. Burp Scanner repeats every action you record.

• Use mouse clicks (instead of keyboard shortcuts) to interact with all elements on the page. This tip also applies to fields that are automatically selected.

• Recorded login sequences are intended for web application authentication only. If the target server requires platform authentication, e.g. B. Microsoft NTLM, you should enter these credentials separately. You can set platform authentication credentials as part of a custom scan configuration.

• Make sure the login sequence ends on a page intended for scans of this website. Although the crawler can follow out-of-scope links during the login process, the login sequence must end on an in-scope page.

Troubleshooting recorded login sequences for Burp Suite Enterprise Edition

If Burp Scanner cannot play back a recorded login sequence during a scan, it cannot perform authenticated crawling. However, the scan will continue to run.

If your login sequence does not violate any of the recorded login restrictions and you have followed all of the best practice tips listed above, you should download the event log for the scan. The log error messages can tell you if the problem was with the login sequence itself or if there was a general problem with the browser.

Some log entries may represent transient errors that were later fixed. For example, if the target site imposes rate limits, you might see entries stating that the crawler was unable to log in. However, he may have successfully logged in to the scan later.