ENTERPRISEPROFESSIONAL

Recorded login sequences

  • Last updated: June 8, 2023

  • Read time: 2 Minutes

When configuring application logins for a scan, you can import a recorded login sequence rather than supplying basic user credentials. A recorded login sequence is a set of instructions that tell Burp Scanner how to log in to the website.

Recorded login sequences enable Burp to handle complex authentication mechanisms, including:

  • Single sign-on.
  • Multi-step logins in which the username and password are not entered in the same form.
  • Login forms that contain, for example, extra fields or checkboxes.

Note

When running a recorded login sequence, Burp Scanner can temporarily follow any out-of-scope links that are necessary to perform the login sequence. However, these locations are not crawled or audited as part of the scan.

Recorded login sequences are especially useful if you are using Burp Suite Enterprise Edition to automate scanning across a large application portfolio. In this case, you may be able to record an application's login sequence once and re-use it multiple times.

Using recorded login sequences

To record your login sequences, use the Burp Suite Navigation Recorder. This Chrome extension captures your interactions with the website while you perform the login sequence manually. It then generates a JSON-based "script" that you can import into Burp Suite Professional or Burp Suite Enterprise Edition.

Note

We recommend that you read the Best practice for recording login sequences documentation before attempting to record a login sequence. This page contains advice that should help you to record login sequences that work first time.

The next time Burp Scanner performs an authenticated crawl, it opens a new browser session and uses this script to perform the full login sequence.

Was this article helpful?