Burp Suite User Forum

Login to post

Burp Automated Scan using Macro not spidering all url's

deepak | Last updated: Oct 17, 2019 08:15AM UTC

Hello, I am using the Burp API to automate the scans on Burp Suite v1.7.31 After creating a macro, I am supplying credentials and I am able to login later using the macro. However, Burp is only able to spider or crawl the macro url and not spidering or scanning automatically for other url's. The only request as part of my macro is the login request. The scope is intended to scan all url's but burp ends up spidering only the login request and the response re-direction url, if any and stops. Can anyone confirm if it is possible to use a macro and scan all url's of an application dynamically via such automation or the list of url's need to be added manually/manual spidering is required.

Mike, PortSwigger Agent | Last updated: Oct 17, 2019 10:53AM UTC

Hi, we responded to your email about this issue 18 minutes ago, I will post our reply here in case you haven't received it. Yes, your Macro should not effect Burp Scanners’ ability to continue scanning after you have successfully authenticated with an application. Can you provide us with examples of your Session Handling Rules configuration and a description of what authentication requirements your target application has?

Burp User | Last updated: Oct 30, 2019 09:50PM UTC

Hello, Any updates on this please? Mike, can you provide please a link to a tutorial how to use Burp for automated login on web apps with csrf scan and then actually start the scan? I have found this link but not saying how to start the scan, where to enter credentials https://support.portswigger.net/customer/portal/articles/2906338-using-burp-s-session-handling-rules-with-anti-csrf-tokens I would to scan a web app with csrf token, I have added a macro selecting the /login Get request where the token appears, set session handling rules but there is no option to scan using this macro in 2.1.04 version, where can I find support, please? I have bought a license for Professional Use Thank you!

Mike, PortSwigger Agent | Last updated: Nov 01, 2019 08:57AM UTC

Hi Laura, when you define a session handling rule, in the 'Scope' tab you select the tool(s) that the rule applies to and the scope of what URLs will use this rule when utilizing one of the tools previously selected. In your case, you will need to select the scanner to apply this rule and set the scope to include the URL you are scanning. The macro should then be used when you execute a scan against that target application.

You need to Log in to post a reply. Or register here, for free.