Burp Suite User Forum

Create new post

Burp2 URL exclusion for scan, but not for session

Andrej | Last updated: Dec 17, 2018 12:41PM UTC

For Burp2 and Burp EE - how do I exclude the URL for scanning, but not for crawling part? That is, the login is taken care of by 3rd party authentication mechanism located in external domain. Example: Test scope URL: www.test.com When I first to go such address, I'm redirected to www.log.me.in = different domain. I need crawler to fill in the authentication parameters here. After success, I'm redirected back to www.test.com with valid session, and I can now try scanning and using Burp Active Scan. How can I achieve, that I would only be testing www.test.com for vulnerabilities, but exclude www.log.me.in domain from any tests, while still letting the tool proceed with entering authentication strings there so that I have a valid session?

PortSwigger Agent | Last updated: Dec 17, 2018 01:48PM UTC

Unfortunately, this isn't possible with the current beta. I agree this is a necessary feature for scanning a lot of apps. This is on the development plan - and relatively high up. We'll let you know when we make progress implementing it.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.