Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Different results at first scan between version 1.7 and version 2

Zucchelli | Last updated: Sep 21, 2018 09:05AM UTC

In testing the 2.0 version of Burp, I noticed that, scanning the same target, version 1.7 found XSS reflected vulnerabilities that 2.0 did not. Both scanning were done using default configurations from both product. (I mean that, for 1.7 I followed the configurations suggested in "Using Burp as a point and click scanner" article) Once the 2.0 (2.0.0.6) scan finished (without finding xss reflected vulnerability) i went to Target tab, found the path where the vulnerability should have be found, right clicked and selected "Scan", accepting all the subsequent default configurations. This time the XXS reflected has been found ! It depends on something I'm doing wrong or there is something else ? Thank you

Liam, PortSwigger Agent | Last updated: Sep 21, 2018 09:17AM UTC

Thanks for this report Maurizio. It sounds like Burp's new crawler hasn't found the page. Did you use Burp Spider to map the application in the first instance?? Could you provide us with some more information about the application? When you perform a crawl of the application with Burp 2. Do you notice items missing from the site map?

Burp User | Last updated: Sep 21, 2018 02:04PM UTC

Thank you for your reply The crawler has found the page, but between the first and the second iteration it has found a different number of vulnerabilities. I have prepared two screenshots to show the situation, what is the procedure to submit them ? In tacking the screenshots i noticed that the first iteration has triggered some errors while the second didn't. Maybe this is the reason for the different results? If it's so, how can i know that the errors triggered during a scan have led to an incomplete result for a specific url ? thank you

Liam, PortSwigger Agent | Last updated: Sep 24, 2018 12:08PM UTC

Yes, it could be that the errors are related. It depends on the errors, but you could use the Logger++ extension from the BApp store to see exactly what the scanner is doing when the errors occur. You can send the screenshots to support@portswigger.net and we'll take a look. Thanks.

Chris | Last updated: Sep 02, 2021 09:46PM UTC

Has there been any update to this? v2021.8.2 is not finding the same issues as v1_7_37 for me.

Michelle, PortSwigger Agent | Last updated: Sep 03, 2021 10:09AM UTC