Burp Suite, the leading toolkit for web application security testing

PortSwigger Web Security Blog

Thursday, November 13, 2008

[MoBP] Spidering authenticated applications

Related to yesterday's post is a further enhancement to the way the Spider handles form submission. In the new version, you can control how Burp handles login forms, separately from the configuration for forms in general. You can tell the Spider to perform one of four different actions when a login form is encountered:

  • You can ignore the login form, if you don't have credentials, or are concerned about spidering sensitive protected functionality.

  • You can prompt for guidance interactively, enabling you to specify credentials on a case-by-case basis.

  • You can treat login forms as any other form, using the configuration and auto-fill rules you have configured for those.

  • You can automatically submit specific credentials in every login form encountered.

In the last case, any time Burp encounters a form containing a password field, it will submit your configured password in that field, and will submit your configured username in the text input field whose name most looks like a username field. The UI for configuring application login looks like this:


blad3 said...

How do you know when you have a login form or a "normal" form? You look for a password type input or you look for input names or ?

PortSwigger said...


You look for a password type input.

Blog Archive

Support Center

Get help and join the community discussions at the Burp Suite Support Center.

Visit the Support Center ›

Copyright 2015 PortSwigger Ltd. All rights reserved.