Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Active scan checking for categories outside of selected issue categories

FeasibleSecEnthusiast | Last updated: Jul 17, 2024 08:14AM UTC

Hello, Firstly, can't thank you folks enough for this awesome tool. I am trying to play around with the active scan under the "Issues Reported" section of the configuration. I have created a custom configuration in my library, where I want only Reflected XSS and Reflected DOM XSS to be scanned. These are the only selected issues. But still, when I scanned, I saw the task log reporting that it is trying XML Injection, Code Injection, and many categories that are unselected, or those which are not even a part of the list. Unless this is expected due to some internal category names/cross-referencing that I am unaware of, can you please help understand why the scanner is testing for issue categories that have not been selected? Thanks.

Syed, PortSwigger Agent | Last updated: Jul 18, 2024 07:28AM UTC

Hi,

You are most welcome. Our awesome developers deserve the praise. I will let them know. Thank you for your lovely feedback!

We are aware of this issue and are planning to fix it. It is more of a UI issue than a Scanner one. When you run the scan, the logic for the disabled scan checks kicks in after we display that we are running scan checks for them. You can confirm this with the requests in the Logger. Burp only prints that it is doing all these scan checks, but it isn't.

If you have a scan check dependent on another scan check, and if that is disabled, Burp will still execute it because of that dependency. Otherwise, Burp won't run any scan checks that you have disabled in the scan configuration.

I hope this helps.

FeasibleSecEnthusiast | Last updated: Jul 18, 2024 09:29AM UTC

Hi Syed, Much appreciated, and it does make sense. I should have clarified in my earlier post one more thing. I did have the scanner go through another burp instance in front, and stopped the scan when I saw the message in the UI. Glad to know that the scanner itself doesn't check for the categories that the UI reports as being checked - the payloads in the second burp instance seemed relevant enough for the selected categories, but I thought I should still check, before it goes deep into the scan! :) Thanks again.

Syed, PortSwigger Agent | Last updated: Jul 18, 2024 12:06PM UTC