Burp Suite User Forum

Create new post

burp active scan

hong | Last updated: Jan 13, 2016 03:48PM UTC

Hi, I am testing a web page (a form) that allows you to make the changes for several fields. The form has several parameters in POST request (name and value pair in the body). If you do not make any changes, and hit submit, it will come back "no change made" page. If you do make change, it will come back with "confirmation page". I did two tests (1) made no change in request, and sent this POST request to the active scan, "active scan" reported 5 issues. (2) made a change in the request, and sent this POST request to active scan, "active scan" reported 22 issues. Is this an expected behavior for "active scan"? I selected almost everything in "attack insertion points", such as "body parameters, head parameters ...". I thought active scan will modify these (name, value) pair and send additional requests for probing the vulnerabilities. I wanted to design my test so that it can give me the maximum issues in the page. Thanks

PortSwigger Agent | Last updated: Jan 14, 2016 09:54AM UTC

Burp will indeed modify the request in all kinds of ways during active scanning. Some of these changes may not trigger the logic in this application that causes a different action to be performed (because they are changes to e.g. request headers, or the addition of new parameters). It sounds like the two base requests you have sent for scanning are triggering different server-side actions in themselves, and this might explain why different issues were generated in the two cases.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.