1. Support Center
  2. Documentation
  3. Scanner
  4. Authenticated scanning
  5. Recording login sequences

Recording login sequences

Recorded login sequences enable Burp Scanner to audit content that only authenticated users can usually see, even on sites that use complex login mechanisms such as Single Sign-On. This section explains how to record a login sequence and then add it to a new or existing site.

In Burp Suite Professional, you can also use AI to generate login sequences automatically, saving time and reducing the chance of human error. For more information on how to do this, see Generating recorded login sequences using AI.

Note

If your site uses a basic username and password-based authentication mechanism, add username and password credentials rather than a recorded login sequence. Using username and password credentials can improve scan times and reduce the likelihood of errors. You cannot use both authentication methods on a single application in either Burp Suite Professional or Burp Suite DAST.

Preparing the Burp Suite Navigation Recorder extension

Before you can record a login sequence, you may need to install and configure the Burp Suite Navigation Recorder Chrome extension.

This step is required to record logins in Burp Suite DAST. It is optional in Burp Suite Professional, as Burp's browser comes with the extension pre-installed. However, you may still want to install the extension so that you can record logins in a standard Chrome installation.

To install and configure the extension:

  1. Open Chrome and navigate to the Burp Suite Navigation Recorder extension page.
  2. Click Add to Chrome.
  3. In the dialog box, click Add extension to install the extension.
  4. Click the extension icon on the Chrome toolbar to open the extension menu.
  5. Click Manage extensions to display the Extensions page.
  6. Select Allow in incognito.

Using the extension without incognito mode

You can use the extension without incognito mode in a standard Chrome installation, for example if you have organization restrictions that prohibit the use of incognito mode. However, we strongly recommend using incognito mode whenever possible to avoid issues with stateful behavior. Recording without incognito mode may result in a recorded login that appears to work, but stops working after your session ends.

To install the extension without incognito mode, follow the above steps, but click Continue without incognito at Step 6.

If you have already installed the extension, you can set the extension to not use incognito mode:

Recording a login sequence

Read the Best practice for recording login sequences page before attempting to record a login sequence. This page contains advice to help you to avoid some common errors made when recording complex authentication sequences.

To record a login sequence:

  1. If you are using Burp Suite DAST, or want to record logins for Burp Suite Professional in a standard Chrome installation, install the Burp Suite Navigation Recorder Chrome extension. We recommend that you set the extension to run in incognito mode. For more information, see Preparing the Burp Suite Navigation Recorder extension.
  2. Click the extension icon on the Chrome toolbar and select Burp Suite Navigation Recorder.
  3. At the prompt, click Start recording. A new window opens.
  4. In the window, browse to the target website.
  5. Complete the login sequence that you want to capture.
  6. When you're done, click the extension icon, select Burp Suite Navigation Recorder, and click Stop recording.

The extension automatically copies the generated script to your clipboard. You can re-copy the script by selecting the extension icon and selecting Copy to clipboard.

You can repeat this process for each set of credentials that you want to use for scans of this site. For example, you might record one login sequence in which you log in as a normal user and another sequence in which you log in as an administrator.

Note

Burp Scanner uses Burp's browser to perform recorded login sequences when scanning, even if you have not selected Use Burp's browser for crawl and audit in your scan configuration.

Adding recorded login sequences to Burp

Once you have recorded a login sequence, you're ready to add it to Burp. This process is different depending on whether you're using Burp Suite Professional or Burp Suite DAST.

Add a recorded login sequence to Burp Suite DAST

To add a recorded login sequence to Burp Suite DAST:

  1. On the top menu, select Sites to display the site tree.
  2. Select the site you want to set up notifications for.
  3. Select the Details tab and click Edit.
  4. In the Scan settings section, select the Application logins tab.
  5. Select the Upload recorded login sequences radio button.
  6. Click Add a recorded login.
  7. In the dialog box, enter a unique Label to identify this recorded login.
  8. Paste the login script into the Paste script field.

  9. Configure the status checker to monitor authentication during the scan:

  10. Click Save to close the dialog box.
  11. Click Save. Burp adds the recorded sequence to the list of application logins for the site.

Adding login sequences to Burp Suite Professional

To add a login sequence to Burp Suite Professional:

  1. From the dashboard, click New Scan to open the scan launcher.
  2. Select Application login.
  3. Select Use recorded login sequences.
  4. Click Manual recorded login, then click Continue to display the New Recorded Login dialog.
  5. Enter a descriptive Label for the login.
  6. Paste the data from your clipboard into the Paste Script field.
  7. Click OK. Burp adds the recorded sequence to the list of application logins.