Burp Suite DAST's recorded login sequence feature enables you to specify login details that Burp Scanner can use when performing authenticated scanning on applications with complex login mechanisms.
While the Burp Suite Navigation Recorder Chrome extension is easy to use in itself, successfully recording a login sequence for a sophisticated authentication mechanism can be a complex process.
We have compiled some advice that should help you record login sequences successfully.
Limitations of recorded login sequences
Although recorded login sequences are intended to handle a wide variety of login mechanisms, they do have some limitations:
Recorded logins are only compatible with browser-powered scans. If Burp Scanner cannot initialize its browser then the authenticated scan cannot start.
Burp Scanner cannot self-register users or deliberately trigger login failures by submitting invalid credentials in conjunction with a recorded login sequence. As a result, Burp Scanner ignores any Testing login functions crawl settings from your scan configuration when using recorded logins.
Your authentication system may flag repeated logins made during the scan as suspicious. This in turn could trigger additional authentication steps or anti-robot measures that the crawler is unable to handle. In this case, we recommend running the scan on a test instance with these checks disabled.
Recorded logins are not compatible with two-factor authentication, character-select passwords, or CAPTCHA.
Note
Recorded logins do not support CAPTCHA because CAPTCHA systems are specifically designed to deny automated systems such as our recorded login tool. Adding support would likely result in CAPTCHA providers patching the methods we would use to bypass the CAPTCHA mechanism, potentially creating a cycle of us finding CAPTCHA vulnerabilities and providers patching them out.
Tips for recording successful login sequences
These tips will help you to create recorded login sequences that work first time:
Read the above list of limitations to make sure that the authentication process for your target application is compatible with Burp Suite's recorded logins.
If the application uses a basic, single-step HTML login form, consider adding login credentials rather than using a recorded login sequence. Using simple login credentials wherever possible can result in faster scanning.
After the login process is complete, end the sequence without clicking on any other links or logging out. The recorded login sequence is designed to perform the login process only. Any additional navigation is automatically handled by Burp Scanner as part of its crawl phase.
Wait for pages and elements to finish loading completely before performing the next action.
Avoid any unnecessary actions such as additional mouse clicks. Burp Scanner repeats all the actions you record.
Use mouse clicks (rather than keyboard shortcuts) to interact with all elements on the page. This tip applies even for fields that are automatically selected.
Recorded login sequences are intended to handle web application authentication only. If the destination server requires platform authentication, such as Microsoft NTLM, then you should enter these credentials separately. You can set platform authentication credentials as part of a custom scan configuration.
Make sure that the login sequence finishes on a page that is in scope for scans of this site. Although the crawler can follow out-of-scope links during the login process, the login sequence must end on a page that is in scope.
Configure the status checker to monitor authentication status during scans. Choose a URL that reliably shows when you're logged in and select text from the page that only appears for authenticated users.
Status checker best practices
When configuring the status checker alongside your recorded login sequences, follow these guidelines:
Choose a reliable URL - Select a URL that consistently shows authentication status, such as an account dashboard or profile page. Avoid pages that might be cached or show the same content for both authenticated and unauthenticated users.
Select specific confirmation text - Choose text that only appears when you're logged in, such as "My Account", a username, or "Welcome back". Avoid generic text that might appear for all users.
Test your configuration - Verify that the confirmation text is only displayed when you're logged in. This helps the status checker to accurately detect authentication failures.
Use in-scope URLs when possible - While the status checker can check out-of-scope URLs, using an in-scope URL helps make sure the status check doesn't interfere with the scan's crawling and auditing phases.
Troubleshooting recorded login sequences for Burp Suite DAST
If Burp Scanner is unable to replay a recorded login sequence during a scan then it cannot perform an authenticated crawl. However, the scan will still run.
If your login sequence does not break any of the limitations for recorded logins, and you have followed all the best practice tips listed above, then you should download the event log for the scan. The log error messages could tell you whether the issue was with the login sequence itself or whether there was a general issue with the browser.
Some log entries may represent temporary failures that were later resolved. For example, if the target site imposes rate limits, you might see entries saying that the crawler was unable to log in. However, it may have logged in successfully later in the scan.