Burp Suite User Forum

Login to post

burp setting

afs | Last updated: Nov 02, 2019 04:10AM UTC

I use burp professional version, I click new scan task, it asks me to define crawling and auditing parameter, I use default setting, i can't find xss and csrf, so any parameter need to be changed in audit setting so we can discover csrf and stored xss?

Burp User | Last updated: Nov 02, 2019 04:10AM UTC

I use burp 2.1

Mike, PortSwigger Agent | Last updated: Nov 04, 2019 10:11AM UTC

Hi, once the site has been crawled, the audit phase then scans and detects potential vulnerabilities. All issue types including CSRF & XSS (Stored) are enabled by default so it should work out of the box. Have you verified manually that those vulnerabilities are present in your target application?

Burp User | Last updated: Nov 05, 2019 12:59AM UTC

we manually verify 15 reflect .xss, 5 dom based xss, 20 stored xss and 26 csrf issues for one website, using default auditing and crawling setting, burp only detect 5 dom based xss. pls advice which setting need to be added

Mike, PortSwigger Agent | Last updated: Nov 06, 2019 08:41AM UTC

You can ensure that Burp Scanner attempts all available insertion points it encounters and payloads available by changing the following settings in the audit configuration; - Audit Speed: Thorough - Skip checks unlikely to be effective due to insertion point's base value: Disabled - Issues Reported: All types enabled. - Insertion Point Types: All types enabled. - Frequently Occurring Insertion Points: All disabled. Whether or not Burp can detect them is based on the vulnerabilities you have manually verified yourselves, without an example it would be difficult to investigate if Burp should be detecting them or not.

You need to Log in to post a reply. Or register here, for free.