Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Burp Scan Finding Severity

Mohammad | Last updated: Jan 09, 2024 02:28PM UTC

Hello, I'm a bit confused regarding the severity of findings via Burp Scanner. Recently I ran a Scan on one of my domains and was able to find a bunch of findings however, most of them were of severity "information" as per this list: https://portswigger.net/burp/documentation/scanner/vulnerabilities-list Burp should for example identify Cross Site Scripting Reflected as "High" however in my report or scan results its identified as "Information" do you have any clarification on why its appearing as "information" and not High for example just like the list linked above?

Hannah, PortSwigger Agent | Last updated: Jan 10, 2024 12:05PM UTC

Hi The scan severity levels found on the vulnerabilities list reflect the typical severity level of the issue. Depending on the Scanner's findings, actual issue severities may differ. You can also manually change the reported issue severity by right-clicking on the issue and adjusting the severity.

Mohammad | Last updated: Jan 10, 2024 12:59PM UTC

Hello Hannah, thanks for the prompt response. If the vulnerability is denoted as High in the list why would it appear as Information during the scan? Based on what Burp denotes it as Information and not High for example? Can you please clarify this? I'm aware of being able to change the severity but would like to understand the basis of the severity Im getting

Hannah, PortSwigger Agent | Last updated: Jan 11, 2024 11:20AM UTC