Burp Suite Enterprise Edition is now available in our secure Cloud  –  Learn more

Enterprise Edition

Adding recorded login sequences

  • Last updated: June 6, 2024

  • Read time: 3 Minutes

A recorded login sequence is a set of instructions that tell Burp Scanner how to log in to a particular site. Recorded login sequences enable Burp Scanner to audit content that only authenticated users can usually see, even on sites that use complex login mechanisms such as Single Sign-On.

This section explains how to add login sequences to a new or existing site. For information on how to record the sequences themselves, see Recording login sequences (Scanner).

Note

If your site uses a basic username and password-based authentication mechanism, you should consider adding username and password credentials rather than adding a recorded login sequence. Using username and password credentials can improve scan times and reduce the likelihood of errors. You cannot use both authentication methods on a single site in Burp Suite Enterprise Edition.

Adding recorded login sequences to Burp Suite Enterprise Edition

You can add recorded login sequences when creating a new site. You can also add sequences to existing sites.

Add a recorded login sequence to a new site

To add a recorded login sequence when you create a new site:

  1. On the top menu, select Sites > Add a new site to display the Create a new site page.
  2. In the Scan settings section, select Authentication > Application logins.
  3. Select Recorded login sequences.
  4. Click Add a recorded login sequence.
  5. In the dialog box, enter a unique Label to identify this recorded login.
  6. Paste the login script into the Paste script field.
  7. Click Save.

Note

Burp Scanner always uses Burp's browser to perform recorded login sequences when scanning, even if you have not selected Use Burp's browser for Crawl and Audit in your scan configuration.

Add a recorded login sequence to an existing site

To add a recorded login sequence to an existing site:

  1. On the top menu, select Sites to display the site tree.
  2. Select the site you want to set up notifications for.
  3. Select the Details tab and click Edit.
  4. In the Scan settings section, select Authentication > Application logins.
  5. Select Recorded login sequences.
  6. Click Add a recorded login sequence.
  7. In the dialog box, enter a unique Label to identify this recorded login.
  8. Paste the login script into the Paste script field.
  9. Click Save to close the dialog box.
  10. Click Save.

To add an additional recorded login, click the plus button and repeat steps 7 to 9.

To delete a recorded login, click the trash icon .

Reviewing a recorded login sequence

When you run a pre-scan check, Burp Suite Enterprise Edition captures images from your recorded login sequences. You can review the images from each sequence, to make sure that they successfully log in to the site.

Note

For security reasons, you need permission to view recorded logins.

To grant users permission to view recorded logins, an admin user needs to:

  1. Create a new role that has permission to View sites, View site details, and View site application login details.
  2. If the role also needs to enable users to run pre-scan checks, give permission to Edit sites and folders.
  3. Create a new group that contains the new role, the appropriate users, and any site restrictions.
  4. Ask the users to sign out and sign in again, for the changes to take effect.

To review your recorded login sequences:

  1. From the Sites menu, select a site.
  2. In the Health Status menu, click Run health check. Wait for the health check to complete.
  3. Expand the Health status menu and go to the Recorded logins tab.

  4. To review a specific recorded login sequence, click Review replay.
  5. Review the images of the recorded login replay, to make sure that the login is successful.

Note

You will see an error message if there is an error with the script for the recorded login.

Recorded login images are only stored for 14 days. After this period, you need to run a new health check in order to review your login sequence.

Was this article helpful?