Authenticated scanning improvements in Burp Scanner

Burp Suite’s authenticated scanning characteristic allows customers to scan privileged areas of goal internet purposes even when a posh login sequence is required. This leverages Burp’s browser – utilizing the included Burp Suite Navigation Recorder extension to retailer a report of your login actions in JSON. This could then be handed to Burp Scanner to be used in automated testing. Authenticated scanning is obtainable in each Burp Suite Enterprise Version and Burp Suite Skilled, and allows environment friendly testing of contemporary internet apps.

Burp Suite 2021.9.1¬†introduced in some highly effective new developments – together with a lot of behind-the-scenes enhancements to the way in which authenticated scanning works. Now you can report login sequences in a lot of new contexts – serving to you to check right this moment’s ever extra advanced internet purposes. On this put up, we’ll take a more in-depth take a look at the authenticated scanning options Burp Scanner gained in model 2021.9.1.

You may additionally wish to see the most recent Burp Suite launch notes.

New – iframes

These days, it is pretty widespread for an online utility to make the most of iframe components throughout the login course of. Though they’re utilized by many techniques, iframes might be problematic for a scanner – provided that they’re primarily a web page embedded inside one other web page (proper all the way down to having separate URLs).

As of launch 2021.9.1, Burp Suite is ready to report and replay interactions inside iframes – logging the sequence you enter. The keen-eyed amongst you could have seen a brand new property within the Navigation Recorder’s JSON output referred to as frameId, which is vital to this functionality – uniquely figuring out iframes.

New – animated components

When Burp Scanner must click on on a component with a purpose to replay a login, it initiates a sequence of occasions which culminates in Burp’s Chromium browser offering a set of coordinates to ship a click on occasion to. However with animated components, that is barely trickier. Within the time taken to finish the identification and site course of, the component could have moved to a unique location.

This used to imply that Burp Scanner may run into issues when coping with animated components (utilized by techniques together with Microsoft SSO) throughout a recorded login. As of launch 2021.9.1, Burp Scanner now waits for such animations to complete animating earlier than it sends actions – fixing this challenge.

For extra data on how the Navigation Recorder and Burp Scanner work collectively, try our scanner workforce’s current weblog put up on how Burp Suite data logins.

New – DOM-based redirections

From a scanning perspective, one drawback with JavaScript is that it isn’t all the time easy to see when it’ll execute. As an illustration, a web page’s physique component would possibly comprise an onload occasion handler which (as quickly because the web page is totally loaded) redirects the person to a login web page. An instance of this could be when a web page shows an informational message for a set time frame, earlier than redirecting the person to a login display.

Burp Scanner is now in a position to higher deal with such redirections throughout authenticated scanning – including additional utility when testing fashionable internet apps. Modifications have additionally been made below the hood, to provide Burp Scanner a significantly better thought of when a web page has completed loading / settled. This in itself is a difficult job, given the extraordinarily dynamic nature of a lot fashionable internet content material.

New – SVG components

Talking to our customers, we grew to become conscious of an issue with Burp Suite’s authenticated scanning characteristic, the place Burp Scanner could possibly be confused by buttons containing a nested SVG picture (corresponding to an icon). This might trigger the scanner to click on on the picture, relatively than the button.

Launch 2021.9.1 fixes this challenge, by altering the way in which Burp Suite identifies SVG components. Beforehand, Burp Suite was unable to report details about the place SVGs had been positioned within the DOM, however now it may – together with the XPath. XPath is vital, as a result of it permits components to be positioned within the DOM. Since 2021.9.1, Burp Suite will use the SVG namespace to accurately establish a picture – fixing this drawback.

New – multi-select

Though it admittedly represents a considerably area of interest use-case, Burp Suite 2021.9.1 additionally added functionality for coping with conditions the place customers can choose a number of choices from an inventory. That is generally referred to as a multi-select (a choose component the place the a number of attribute has been set). Burp Suite’s capability to deal with such components by authenticated scanning will make testing far more environment friendly, must you occur to come across one within the wild.

Till subsequent time

As you’ll be able to see, fashionable internet utility login sequences might be much more advanced than the easy HTML types of yore. However Burp Suite’s steady growth helps it meet the wants of right this moment’s internet safety professionals.

Whether or not you are testing conventional login performance utilizing the old-style Burp Suite utility login possibility, or utilizing the authenticated scanning characteristic to check fashionable performance, we have you lined.

Remember – keep within the loop with the most recent goings-on, and sustain with the most recent Burp Suite releases by following PortSwigger on Twitter.

Supply hyperlink