Authenticated scanning

When crawling a target application, Burp Scanner attempts to cover as much of the application's attack surface as possible. Authenticated scanning enables Burp to crawl privileged content that requires a login to access, such as user dashboards and admin panels.

Burp Scanner can authenticate with target applications in two ways:

• Login credentials are simple username and password pairs. They are intended for sites that use a single-step login mechanism.
• Recorded login sequences are user-defined sequences of instructions. They are intended for sites that use complex login mechanisms such as Single Sign-On. In Burp Suite Professional, you can use AI to generate login sequences automatically.

You can only use one authentication method per scan. If you enter both login credentials and a recorded login sequence, Burp Scanner ignores the provided login credentials.