Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Does burp scan can inject new valid entries

Meghana | Last updated: Apr 23, 2020 07:04AM UTC

Hi, We have scanned an iOS application using Burp Suite Pro(V1.7.37)and post that scan the app team have raised a concern saying that there are so many new entries have been created in the db who doesn't have permission to enter the app and the time the entries were created is in the time window the scan has been performed. So can you please let me know whether Burp scanner can inject new entries. Is it possible that those entries are created because of the scan. P.S: The entries created were of valid employees but nowhere in the scan recording process those names were mentioned and those people doesn't have access to the app, with out access no one can even open or know about the app. Thanks in advance.

Liam, PortSwigger Agent | Last updated: Apr 23, 2020 07:28AM UTC

Like any security testing software, Burp Suite contains functionality that can damage target systems. Testing for security flaws inherently involves interacting with targets in non-standard ways that can cause problems in some vulnerable targets. You should take due care when using Burp, read all documentation before use, back up target systems before testing, and not use Burp against any systems for which you are not authorized by the system owner, or for which the risk of damage is not accepted by you and the system owner. Burp can create entries in a Database. Burp would not have the ability to guess the names of your employees. It seems likely that those names were already in the Database. Please let us know if you need any further assistance.

Meghana | Last updated: Apr 23, 2020 08:24AM UTC

Hi Liam, Thank you for your quick response. The scan was done under test environment only and care has been taken. Our only concern is, are those entries created due to scan or not. Those names were definitely not in the database earlier as they are employees of different geographical location where this app doesn't even have access to. Apart from the names of the employees other details as phone number and email id were junk data, so the team is saying that the scan might have injected these entries. So can you please clear my doubt that whether it's possible for Burp scanner to inject some valid entries(my understanding is it injects random data like burp.com for email entries and some sample names) which are not there in the database earlier. Appreciate your help.

Liam, PortSwigger Agent | Last updated: Apr 23, 2020 09:37AM UTC