Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Burp scanner ignores scan configuration exclusion lists

Info.ba | Last updated: Apr 06, 2020 09:26AM UTC

Hi, It seems that Burp scanner ignores scan configuration exclusion lists. Version: 2020.2.1 E.g.: Configuration requires to ignore body parameter with name securityId Base request: POST /..../my_profile;jsessionid=560423289919l0e2g6f88f71qjg4xp1z2uwc408389.5604232899 HTTP/1.1 Host: www..... Connection: close Content-Length: 3002 X-Single-Page-Navigation: true Origin: https://www..... User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydvPyYQOeLGo0JIKb Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 ------WebKitFormBoundarydvPyYQOeLGo0JIKb Content-Disposition: form-data; name="SWEDTQBI4KJBTLDNYCATLADGCD2GMTXMX3DHM" 214378 ------WebKitFormBoundarydvPyYQOeLGo0JIKb Content-Disposition: form-data; name="pageId" private.home.important.settings.my_profile ------WebKitFormBoundarydvPyYQOeLGo0JIKb Content-Disposition: form-data; name="securityId" qkIALJOHvNQMBxjF [...] ------WebKitFormBoundarydvPyYQOeLGo0JIKb-- Scanner request (as observed in Flow): ------WebKitFormBoundarydvPyYQOeLGo0JIKb Content-Disposition: form-data; name="pageId" private.home.important.settings.my_profile ------WebKitFormBoundarydvPyYQOeLGo0JIKb Content-Disposition: form-data; name="securityId" glliorbdio

Hannah, PortSwigger Agent | Last updated: Apr 06, 2020 09:53AM UTC

Hi Could you provide some more information on how you are setting up your ignored insertion point? For example, are you using regex or literal string matching, did you set the ignored insertion point as a value or a name? In the Scanner request you posted, it does not appear that the "securityId" parameter has been used as an insertion point, as there does not seem to be a payload included as part of that parameter. Could you clarify this?

Info.ba | Last updated: Apr 06, 2020 11:52AM UTC

Maybe it is not clearly visible in the text above, but Scanner clearly modifies the securityId parameter from qkIALJOHvNQMBxjF to glliorbdio. Anyway, the setup is as follows: Ignored Insertion points -> Skip server-side injection tests -> Body parameter - Name - Is - securityId

Hannah, PortSwigger Agent | Last updated: Apr 08, 2020 07:24AM UTC

Hi If you change your rule from being in "Skip server-side injection tests" to being in "Skip all tests", do you still see the same behavior?

Info.ba | Last updated: Apr 08, 2020 12:07PM UTC

Skip all tests seem to be working in this case.

Hannah, PortSwigger Agent | Last updated: Apr 08, 2020 12:21PM UTC