Burp Suite User Forum

Login to post

Burp Enterprise Optimization for SPA

Ivans | Last updated: Aug 03, 2022 03:50AM UTC

I have been trying out burp enterprise trial for our organization to conduct security scans. It is a SPA (javascript heavy), the primary issue with the tool is its crawling ability for SPA. It fails to raise the http request which are invoked via checkbox, radios, buttons etc. This becomes a problem, since this tool doesn't have any manual controls except configurations. It becomes very tough to ensure that all the scenarios in a web application have been covered. It could simply be improved by providing some manual controls in the following ways: 1) Letting the user import the HTTP requests which need to be audited from community/pro version, automated crawling can be disabled. The audit can then be performed on the imported requests only Or 2) Using the burp inbuilt browser, we can navigate a workflow manually. Burp enterprise may simply capture all the http requests in the background and perform an audit on the captured requests.(We can also give options to include exclude URLs/domains in this case) Please note I am not asking for features like a separate tab for interceptor, burp enterprise can perform everything in the background. This will make sure that burp professional has its own features reserved. The above 2 methods have the following advantages: 1) Performing a scan on the entire application regularly takes a lot of time. If we limit the max crawl and audit time it may affect the coverage which is not feasible. With the above features implemented we can perform audits on specific http requests/UI workflow, hence this will save a lot of time. 2) It will provide us full control and let us unlock the full potential of burp scanner in the enterprise version.

Alex, PortSwigger Agent | Last updated: Aug 03, 2022 07:16AM UTC

Hi Ivans, Thanks for your post and your feedback on SPA scanning in Burp Suite Enterprise. I've passed your use case and suggestions onto the Technical Product Manager for Enterprise for review - I'll post any updates/additional feedback here. All the best.

You need to Log in to post a reply. Or register here, for free.