Burp Suite DAST is a product by PortSwigger designed for automated Dynamic Application Security Testing (DAST) of web applications and APIs. It is a commercial product that supports both on-premises deployment and cloud-hosted usage via PortSwigger.

In this tutorial, we will perform a scan using Burp Suite DAST, with special focus on recorded logins. Recorded logins are important for modern applications, as providing simple login credentials does not work in many cases.

First, download the "Login Recorder for Burp Suite" extension for Chrome and ensure it is allowed to run in Incognito mode. Follow the steps below to enable it.

None
None
None

Next, navigate to Burp Suite DAST and create a new site from the Sites tab. For this demo, we will use https://ginandjuice.shop/ as our target. We will proceed with the default settings.

None
None
None

To add a recorded login, click the extension and select Record login sequence. Perform the login as you normally would. Once logged in, click the extension again and select Stop recording.

None
None
None

After stopping the recording, you will see an option to Copy script.

None

Click Add a recorded login sequence in Burp Suite DAST and paste the copied script into the Script tab.

None
None

In the Status checker tab, enter the URL you see after logging in and any text that confirms a successful login session. To clarify, the URL is the page you are redirected to after login, and the confirmation text is any visible text on that page.

None

Before running the scan, verify that the recorded login sequence works correctly by clicking Run pre-scan check.

None

If everything is configured correctly, the status will show Successful. For additional verification, you can click Review replay and confirm that the session successfully logs in during the final step.

None
None

Once verified, you can proceed with the authenticated scan.

None

If you want to create a user with read-only access to scan results, navigate to the Team tab and create a new user assigned to the Scan viewers group.

None
None
None

That concludes the setup and execution of an authenticated scan using Burp Suite DAST with recorded login sequence. If you're looking to integrate this workflow into a CI/CD pipeline using Jenkins, you can refer to my previous article here: https://medium.com/@awaisakbarofficial/integrating-burp-suite-dast-with-jenkins-for-automated-security-in-ci-cd-pipelines-092569578090