Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Burp2 URL exclusion for scan, but not for session

Andrej | Last updated: Dec 17, 2018 12:41PM UTC

For Burp2 and Burp EE - how do I exclude the URL for scanning, but not for crawling part? That is, the login is taken care of by 3rd party authentication mechanism located in external domain. Example: Test scope URL: www.test.com When I first to go such address, I'm redirected to www.log.me.in = different domain. I need crawler to fill in the authentication parameters here. After success, I'm redirected back to www.test.com with valid session, and I can now try scanning and using Burp Active Scan. How can I achieve, that I would only be testing www.test.com for vulnerabilities, but exclude www.log.me.in domain from any tests, while still letting the tool proceed with entering authentication strings there so that I have a valid session?

PortSwigger Agent | Last updated: Dec 17, 2018 01:48PM UTC

Unfortunately, this isn't possible with the current beta. I agree this is a necessary feature for scanning a lot of apps. This is on the development plan - and relatively high up. We'll let you know when we make progress implementing it.

Information | Last updated: Sep 19, 2024 09:17PM UTC

This post is old, but I have the same situation. Is there information on how to do this now?

Information | Last updated: Sep 19, 2024 09:52PM UTC

To add detail: We have website A that uses third party authentication, so it hits a redirect to a Microsoft server does the auth thing and comes back. If I leave out the MS URL, the scan says it can find no seed URL. If I include the MS URL, it scans the MS servers forever. The results only show a few findings for our website A. So, is there a way to tell Burp to only use the MS URL for auth and then ignore it?

Information | Last updated: Sep 19, 2024 09:57PM UTC

I did try putting the Microsoft URL in the Detailed scope config under exclude url prefixes. I am a Burp babe, so this stuff is foreign to me.

Ben, PortSwigger Agent | Last updated: Sep 20, 2024 08:51AM UTC

Hi, I believe that you have also sent us an email about this issue and I have replied to you there.

Information | Last updated: Sep 20, 2024 10:00PM UTC

Hi Ben, Yes, sir and thank you! Adding to the puzzle as pieces come together. I just found out that this is a Kubernetes environment. Does Burp even scan Kubernetes? I may have been barking up the wrong tree.

Ben, PortSwigger Agent | Last updated: Sep 23, 2024 11:55AM UTC