Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Burp Enterprise : Adding custom list of URLs to be scanned

Wayne | Last updated: Mar 12, 2024 06:23AM UTC

I have an application in which tab/url/flows are based on query parameters i.e. only key value change controls the UI/page change base URL remains same so when Burp crawls the application it doesn't records those URL. Is there a way to explicitly mention these URLs so that it is picked by Burp Scanner. I tried adding them in-scope section but it didn't worked.

Syed, PortSwigger Agent | Last updated: Mar 12, 2024 02:25PM UTC

Hi Manish,

Thank you for your message.

I am going to assume the application you are trying to scan is a single-page app and when you say Burp doesn't record the URLs, I suppose you mean they are not present in the Scanned URLs list. Correct me if I am wrong.

Burp works well with SPAs now and it shouldn't have a problem scanning the website. You can always refer to this doc on how to scan SPAs: https://portswigger.net/burp/documentation/scanner/scanning-spas

If you still think that Burp is not covering all the URLs, you can run a verbose scan and check the logs to confirm if Burp is indeed visiting all the URLs. You can also use the SiteMap extension to print out a sitemap of the URLs that Burp visits. Here is the extension: https://github.com/Hannah-PortSwigger/RetrieveSiteMap

The above extension only works for Burp Enterprise installed on a Linux machine.

Wayne | Last updated: Mar 13, 2024 08:11AM UTC

No it's not SPA , it's mixed of query parameters-based application along with normal URL. What I have noticed is that a lot of the time after login the Burp Scanner will fail to find any other URL/TAB/PAGE and hence the scan fails with below error I checked login sequence works, Login sequence doesn't end on out of scope page and changing crawl strategy also doesn't work most of the time Login attempt: Failed to find additional locations after recorded sequence: MPGS_User_login. Cause When using a recorded login, Burp Scanner first runs a crawl without using your recorded login. It then compares it to a crawl using your recorded login. If no additional content is discovered, then this error appears. This can occur for a number of reasons: Your recorded login has failed. Your recorded login ends on a page that is out of scope for your scan. Note that Burp Scanner ignores scope while performing a recorded login sequence. However, any out of scope locations are not crawled and / or audited as part of that scan. Burp Scanner is not finding any additional content, because the selected crawl strategy is not complete enough. Remediation If you think your recorded login has failed, then see our documentation on troubleshooting recorded login sequences in Burp Suite Enterprise Edition. If your recorded login ends on a page that is out of scope for your scan and you want to adjust your scope to include that page, you can add the page to the list of Include URLs for the site you are scanning. If you want to try a more complete crawl strategy, create a new scan configuration. Here you can select a Crawl strategy under the Crawling options.

Syed, PortSwigger Agent | Last updated: Mar 13, 2024 10:18AM UTC