Burp Suite User Forum

Create new post

Burp Scan Finding Severity

Mohammad | Last updated: Jan 09, 2024 02:28PM UTC

Hello, I'm a bit confused regarding the severity of findings via Burp Scanner. Recently I ran a Scan on one of my domains and was able to find a bunch of findings however, most of them were of severity "information" as per this list: https://portswigger.net/burp/documentation/scanner/vulnerabilities-list Burp should for example identify Cross Site Scripting Reflected as "High" however in my report or scan results its identified as "Information" do you have any clarification on why its appearing as "information" and not High for example just like the list linked above?

Hannah, PortSwigger Agent | Last updated: Jan 10, 2024 12:05PM UTC

Hi The scan severity levels found on the vulnerabilities list reflect the typical severity level of the issue. Depending on the Scanner's findings, actual issue severities may differ. You can also manually change the reported issue severity by right-clicking on the issue and adjusting the severity.

Mohammad | Last updated: Jan 10, 2024 12:59PM UTC

Hello Hannah, thanks for the prompt response. If the vulnerability is denoted as High in the list why would it appear as Information during the scan? Based on what Burp denotes it as Information and not High for example? Can you please clarify this? I'm aware of being able to change the severity but would like to understand the basis of the severity Im getting

Hannah, PortSwigger Agent | Last updated: Jan 11, 2024 11:20AM UTC

Hi The reason why the Scanner might downgrade a finding depends on the scan check itself. In the case of XSS, it may be that while the Scanner found something that may indicate a site is vulnerable, the Scanner may deem it not exploitable so it doesn't require as high a severity rating.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.