Burp Suite User Forum

Login to post

Burp 2.x Audit finds less issues

cr33y | Last updated: Oct 03, 2019 01:24PM UTC

I‘m playing a bit with burp 1.7.37 and v2.1.04 (both pro versions). I also read about the new scanning techniques burp 2.x comes with. So my expectation was, that it should find (in minimum) as much issues as the „old“ one. For testing i used DVWA. The old one with spidering and a following active scan finds multiple issues: - sqli (visible and blind) - xss (stored and refelcted) - command injection I examined the results and they are all reproducible and no false /positive. Burp 2.x finds zero of the mentioned vulnerabilites. I used the default crawl and audit. In addition also the library template: - Crawl strategy – most complete - Audit – all exept javascript analysis Same result there. So i‘m wondering if i do a misstake or does this rely on the new scanning technique? In theory, burp 1.7 sould then used for „old style“ websites. But using both burp versions at the same mandate is very time consuming and isn‘t really a solution for me. So can you explain / examine the reason for this behavior?

Mike, PortSwigger Agent | Last updated: Oct 03, 2019 02:33PM UTC

Hi, the scanning engine has changed completely from version 1 -> 2, we navigate through the application differently, we interpret the scan configurations differently and we map the target application differently once the crawl operation is completed, so, unfortunately, you can't make a like-for-like comparison. I would like to ask a few questions around your testing with version 2.x - Did you use a new project file for your testing? as previous results could hide/pollute the results from your scanning. - Have you tried changing parts of the configuration to improve the results? (E.g. setting Audit Speed to thorough) - Have you compared the site maps to see if one version is able to identify more of the target application than the other?

Liam, PortSwigger Agent | Last updated: Oct 07, 2019 02:11PM UTC

Just to follow up, we ran Burp Pro v2.1.04 against DVWA Version 1.8 using the default settings. The audit found: SQL injection - 3 Stored XXS - 2 Reflected XXS - 14 OS Command Injection - 1 It also 30 other issue types.

You need to Log in to post a reply. Or register here, for free.