Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp Scanner not Recognising Targets with advanced scope control configured

Richard | Last updated: Aug 24, 2021 01:02PM UTC

I am having issues when using advanced scope control top exclude certain hosts from scanning/testing. I need to use advanced scope control to specifically exclude a particular URL pattern, so that forces me to use a regex to pattern for all my in scope hosts. Problem is, when I then go 'New scan' my in-scope items do not show up in 'URLs to Scan'. I can paste them in and run the test so long as I have not configured the advanced scope configuration within the scanner window. However if I do this and the scan runs, then my exclusion is not shown when I open the detail of teh scan. If I configure the advanced scope within the scanner itself, then the scanner complains that there are out of scope items included for scanning. Steps to reproduce. 1. Start a new project and within the 'Target' tab select 'Use advanced scope control' and load a list of targets from a file. 2. Add an exclusion below with only the 'File' field populated like so: ^.*?adverse-report.*$ 3. Select 'Dashboard' > 'New scan' 4. Note here that the 'URLs to scan' input is blank. 5. Select 'Ok' to initiate scan. This fails 6. Copy and paste in my targets from the file manually and select 'Ok' 7. In the 'Dashboard' click on the gear icon on the scanning object. 8. Open the Detailed scope configuration section. Note that there is no exclusion. 9 Repeat steps 3 - 6 10. Select 'Use advanced scope control' 11. Click 'Load' to load same hosts from file as included URLs. 12. Select 'Excluded URLs' and select 'Add' loading the same regex in the 'File' field. 13. Click 'OK'. 14. Error: 'Some of the specified URLs are out of scope.' I would expect that whatever I had configured in the 'Target' tab to be carried over to the scan without extra configuration and for the regexes to match. Also, I do not have any out of scope settings beyond one exclusion for a particular file path.

Michelle, PortSwigger Agent | Last updated: Aug 25, 2021 11:50AM UTC

Thanks for your message. Currently, it is intentional that settings you may have configured under the Target Scope are not automatically brought into the settings for a new scan, as depending on the configurations used there is the potential for conflicts to be introduced. This is something we will be reviewing to see if we can find a suitable way of making it easier to bring those settings across, so I've passed your feedback onto the team and linked this thread to the feature request so we can let you know when there is an update. For the second stage of your issue (steps 10-14), where you have manually defined the advanced scope control, I have been trying to replicate this here. So far I've not been able to reproduce the error in exactly the same way, I was only able to reproduce the error if I left the included URLs section empty, so I suspect I've done something slightly different. Can you email some screenshots (or a screen recording) of the settings you are using to support@portswigger.net so I can have another go at replicating this and spot the stage I've done differently, please?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.