Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Burpsuite Enterprise: Crawling and scoping

Beth | Last updated: Mar 25, 2019 02:55PM UTC

Is there any documentation on how crawling/scoping works in Burpsuite Enterprise? We've tried all of the crawl scan configurations along with varying combinations of "Add all links to site map" and/or "Add reqested items to site map" but have been unable to reproduce the same findings found using Burpsuite Pro. It seems the only thing that works is manually adding subdomains in "included URL's" to get results.

Burp User | Last updated: Mar 25, 2019 02:57PM UTC

Adding more details to case: We've tried all of the crawl scan configurations along with varying combinations of "Add all links to site map" and/or "Add requested items to site map" but have been unable to reproduce the same findings found using Burpsuite Pro. It seems the only thing that works is manually adding subdomains in "included URL's" to get results. Specific Example: In Burpsuite Enterprise, We added included URL juice-shop.herokuapp.com, selected scan configurations crawl (tried all), also tried "add links..." and "add requested..", and the only real finding is "Strict transport security not enforced". If you spider/scan the same domain in Burpsuite pro, there are many high findings. On specific high finding of Cross-site Request Forgery finding is found under https://juice-shop.herokuapp.com/api/Users. (This is not found in Burpsuite Enterprise). In Enterprise, No matter which combination of crawl/audit configurations at selected, there are no findings of interest unless you manually add items like (/api/Users) to included URLs. We've even tried importing the Burpsuite Pro configurations exported as json in to Enterprise and none of the high findings are found in Enterprise.

Liam, PortSwigger Agent | Last updated: Mar 25, 2019 04:04PM UTC

Thanks for the additional information Beth. Burp Pro and Enterprise use the same crawl and scan engine. Which version of Burp Suite Pro are you using?

Burp User | Last updated: Mar 25, 2019 07:43PM UTC

Pro version 1.7.3.7.

Liam, PortSwigger Agent | Last updated: Mar 26, 2019 02:10PM UTC