Burp Suite User Forum

Create new post

Can I add more scans to SQLi or XSS scans which are run by Scanner?

Christian | Last updated: Feb 19, 2016 09:21AM UTC

I want to configure Burp a bit more. As I understood, in Scanner / Options I can select the Active Scanning Areas. Is there a way to add more e.g. SQLi, or XSS to what already is checked? Where can I see the list of Payloads which are injected in Scanner? Are these the same as in Intruder / Payload Options? Can there be something done with the Issue Definitions or is it informational? Thanks

PortSwigger Agent | Last updated: Feb 19, 2016 11:32AM UTC

You can customize the Scanner by adding your own checks or scan logic via the extensions API. There is an example here of creating a custom scan check: https://portswigger.net/burp/extender/ You can't simply add additional "payloads" to Burp's native scan checks. Those checks employ complex state machines to generate their requests during scanning, and aren't as simple as e.g. running through a list of payloads looking for errors. The issue definitions are currently read-only, but we might allow customization of those at some future point.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.