Burp Suite User Forum

Create new post

Burp Scanner - Change Severity to False Positive

Tony | Last updated: Jun 09, 2022 06:59PM UTC

I thought I had previously submitted this under a Feature Request user forum, but later wasn't able to find it in any forum, so I'm posting again. If this ends up as a duplicate posting, my apologies. When resetting the severity of an issue identified by the scanner to False Positive, it would be helpful to have the ability to identify/highlight where in the response that confirms the issue is a false positive and automatically tag all future issues with the same highlighted response as a false positive. For example, Burp Scanner identified an XPath Injection issue because the response from the injection resulted included 'xpath' which is highlighted in the response, however, this was actually part of the name of a folder for a JavaScript resource (<script type='text/javascript' src='/lib/wgxpath/wgxpath.install.js'>) that was included in almost every response. It would be nice to have a feature where I just highlight say '/lib/wgxpath/wgxpath.install.js' (in the response) to indicate to the scanner that if the highlighted response identifying the issue is in the text I highlighted then to automatically set the severity to false positive for all future findings by the scanner (in that project). That way any xpath injection issues not set as false positive are the issues I should focus on, rather than having to inspect each issue and manually identify each one as a false positive.

Liam, PortSwigger Agent | Last updated: Jun 10, 2022 04:59AM UTC

Thanks for this request, Tony. We'll discuss this with our product team and get back to you.

Liam, PortSwigger Agent | Last updated: Jun 28, 2022 01:08PM UTC

Hi Tony. Sorry for the delay in response. After further discussion with our product team, this isn't a feature we will be able to facilitate in the short or medium term.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.