Troubleshooting recorded login sequences

  • Last updated: June 8, 2023

  • Read time: 2 Minutes

Burp Scanner is sometimes unable to replay a recorded login sequence during the scan. Although this won't cause the scan to fail completely, failing to replay the sequence prevents Burp Scanner from performing an authenticated crawl.

There are several steps you can take to troubleshoot these issues:

  • Check the Limitations of recorded login sequences page to make sure that the application's login mechanism is compatible with the recorded logins feature.
  • Check for error messages in the scan's event log. These might tell you whether the issue is the login sequence or whether there is a general issue with the browser. Note that some log entries may only represent temporary failures that were later resolved. For example, if the target site imposes rate limits, you might see many entries saying that Burp Scanner was unable to log in. However, it may have logged in successfully later in the scan.

  • From the Help menu of Burp's browser, run a health check to make sure there are no issues with the browser. Recorded logins are only compatible with browser-powered scans. Burp Scanner cannot use your recorded login sequence if there is an issue preventing browser-powered scanning.

    For more information, see Burp's browser.

  • Use the Replay function to test the recorded login sequence. Make sure that the sequence finishes on the page you would expect it to after logging in. If it does not, you may be able to determine the final action that Burp was able to perform as expected. Try re-recording the login sequence and run another test. If this new recording also fails at the same stage, it may be that the next action in the sequence is not supported by Burp Scanner. For more information on replaying login sequences in Burp Suite Enterprise Edition, see Reviewing a recorded login sequence.

  • Double-check that the login sequence finishes on a page that is in scope for the scan. Although the crawler can follow out-of-scope links during the login process, the login sequence must end on an in-scope page.

Was this article helpful?