Enterprise Edition
Adding recorded login sequences
-
Last updated: July 16, 2024
-
Read time: 3 Minutes
A recorded login sequence is a set of instructions that tell Burp Scanner how to log in to a particular web app. Recorded login sequences enable Burp Scanner to audit content that only authenticated users can usually see, even on web apps that use complex login mechanisms such as Single Sign-On.
This section explains how to add login sequences to a new or existing site. For information on how to record the sequences themselves, see Recording login sequences (Scanner).
Note
If your web app uses a basic username and password-based authentication mechanism, you should consider adding username and password credentials rather than adding a recorded login sequence. Using username and password credentials can improve scan times and reduce the likelihood of errors. You cannot use both authentication methods on a single web app in Burp Suite Enterprise Edition.
Adding recorded login sequences to Burp Suite Enterprise Edition
You can add recorded login sequences when adding a new web app site. You can also add sequences to existing sites.
Add a recorded login sequence for a new web app
To add a recorded login sequence when you add a new web app site:
- On the top menu, select Sites > Add a new site to display the Create a new site page.
- In the Scan settings section, select Authentication > Application logins.
- Select Recorded login sequences.
- Click Add a recorded login sequence.
- In the dialog box, enter a unique Label to identify this recorded login.
- Paste the login script into the Paste script field.
- Click Save.
Note
Burp Scanner always uses Burp's browser to perform recorded login sequences when scanning, even if you have not selected Use Burp's browser for Crawl and Audit in your scan configuration.
Add a recorded login sequence for an existing web app
To add a recorded login sequence for an existing web app:
- On the top menu, select Sites to display the site tree.
- Select the web app site you want to set up notifications for.
- Select the Details tab and click Edit.
- In the Scan settings section, select Authentication > Application logins.
- Select Recorded login sequences.
- Click Add a recorded login sequence.
- In the dialog box, enter a unique Label to identify this recorded login.
- Paste the login script into the Paste script field.
- Click Save to close the dialog box.
- Click Save.
To add an additional recorded login, click the plus button and repeat steps 7 to 9.
To delete a recorded login, click the trash icon .
Reviewing a recorded login sequence
When you run a pre-scan check, Burp Suite Enterprise Edition captures images from your recorded login sequences. You can review the images from each sequence, to make sure that they successfully log in to the site.
Note
For security reasons, you need permission to view recorded logins.
To grant users permission to view recorded logins, an admin user needs to:
- Create a new role that has permission to View sites, View site details, and View site application login details.
- If the role also needs to enable users to run pre-scan checks, give permission to Edit sites and folders.
- Create a new group that contains the new role, the appropriate users, and any site restrictions.
- Ask the users to sign out and sign in again, for the changes to take effect.
To review your recorded login sequences:
- From the Sites menu, select a web app site.
- In the Health Status menu, click Run health check. Wait for the health check to complete.
-
Expand the Health status menu and go to the Recorded logins tab.
- To review a specific recorded login sequence, click Review replay.
- Review the images of the recorded login replay, to make sure that the login is successful.
Note
You will see an error message if there is an error with the script for the recorded login.
Recorded login images are only stored for 14 days. After this period, you need to run a new health check in order to review your login sequence.