login

Burp Suite, the leading toolkit for web application security testing

PortSwigger Web Security Blog

Thursday, 13 November 2008

[MoBP] Spidering authenticated applications

Related to yesterday's post is a further enhancement to the way the Spider handles form submission. In the new version, you can control how Burp handles login forms, separately from the configuration for forms in general. You can tell the Spider to perform one of four different actions when a login form is encountered:

  • You can ignore the login form, if you don't have credentials, or are concerned about spidering sensitive protected functionality.

  • You can prompt for guidance interactively, enabling you to specify credentials on a case-by-case basis.

  • You can treat login forms as any other form, using the configuration and auto-fill rules you have configured for those.

  • You can automatically submit specific credentials in every login form encountered.

In the last case, any time Burp encounters a form containing a password field, it will submit your configured password in that field, and will submit your configured username in the text input field whose name most looks like a username field. The UI for configuring application login looks like this:

2 comments:

blad3 said...

How do you know when you have a login form or a "normal" form? You look for a password type input or you look for input names or ?

PortSwigger said...

@blad3

You look for a password type input.

Blog Archive


User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Copyright 2014 PortSwigger Ltd. All rights reserved.