Burp Suite User Forum

Login to post

Burp Suite Enterprise + OWASP Juice Shop

Guilherme | Last updated: Dec 30, 2019 05:42PM UTC

Hi, I'm using Burp Suite Enterprise (Version: 1.1.04-2579, Java version: 9.0.4) and configured a new scan with crawl and audit into the OWASP Juice Shop (https://juice-shop.herokuapp.com). This application is written entirely in JavaScript and Burp’s crawler doesn’t currently handle JavaScript heavy applications. I've tried all of the crawl scan configurations along with varying combinations but have been unable to reproduce the same findings found using Burp Suite Pro (v2.1.07), e.g: Open redirection (DOM-based). Burp Suite Enterprise scan configurations: - Crawl limit - 30 minutes - Never stop crawl due to application errors - Crawl strategy - most complete - Never stop audit due to application errors - Audit coverage - thorough XSS is not detected (Burp Suite Pro & Enterprise): https://juice-shop.herokuapp.com/#/search?q=%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E

Liam, PortSwigger Agent | Last updated: Dec 31, 2019 11:27AM UTC

We have released an experimental version of a new JavaScript crawling feature in Burp Suite Pro. - http://releases.portswigger.net/2019/11/professional-2105.html To use the experimental version in Burp Enterprise: First, ensure that you are using Burp Scanner version 2.1.06 in the Settings > Updates page. Next, turn on the experimental crawler feature in Burp Pro (screenshot attached). Save the Scan configuration and import it into Burp Enterprise as demonstrated in this tutorial – https://support.portswigger.net/customer/portal/articles/2973443-using-burp-suite-enterprise-creating-a-custom-scan-configuration. This feature is still in the experimental phase. It doesn't currently work well with OWASP Juice Shop. You should see improvements in other JavaScript-heavy apps.

kinzdg99 | Last updated: Feb 16, 2020 05:35PM UTC

I want to know.

kinzdg99 | Last updated: Feb 16, 2020 05:35PM UTC

I want to know.

You need to Log in to post a reply. Or register here, for free.