Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Capability to scan React.js

andy | Last updated: Jun 02, 2016 02:36PM UTC

As per the title - is Burp capable or truly scanning React.js built applications? Does anyone have any experience of this?

PortSwigger Agent | Last updated: Jun 02, 2016 02:48PM UTC

Burp's automated spider will struggle to achieve full coverage of JS-heavy / single-page applications, regardless of the client-side framework they are using. In this situation, it is preferable to manually walk through all of the application's functionality using your browser via Burp Proxy. Then, you can send the resulting requests for scanning in the normal way, by selecting them in the Proxy history, and using the context menu. During the scanning phase, coverage is normally considerably better if the initial crawling is done manually in the way described.

Burp User | Last updated: Jun 07, 2016 12:07PM UTC

Thanks for the info but I'm particularly asking about React. Is Burp capable of detecting vulnerabilities within React?

PortSwigger Agent | Last updated: Jun 09, 2016 07:55AM UTC

Burp does check for DOM-based vulnerabilities that may arise within JavaScript libraries themselves, or the usage that other client-side code makes of them.

Burp User | Last updated: Dec 20, 2016 07:01PM UTC

No, I don't think Burp Suite does so. It only looks for sources and sinks and if it finds a combination it will report it. Most of the times its a false positive result like DOM based XSS, URL redirection, etc

Mustaqeem | Last updated: Aug 04, 2022 11:57AM UTC

Hi Team, Kindly confirm on this? Is burpsuite is capable to scan React JS application??

Liam, PortSwigger Agent | Last updated: Aug 04, 2022 04:08PM UTC