Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Excluding an endpoint for specific type of scan attack

Vinay | Last updated: Oct 26, 2020 06:08PM UTC

Is it possible to exclude a specific endpoint to be excluded for only speicific type of scan attack test? E.g. when I perform scan for URL http://foo.company.com, we find two issues at /myWebApp endpoint. Issue-A - Reflective XSS Issue-B - Extern Service Interaction (HTTP or DNS) Issue-A is a valid, however Issue-B is false-positive. How do I set my scan/configuration to exclude "/myWebApp" end-point for future External Service Interaction tests? Note - I would like to continue testing External Service Interaction attacks on my others endpoints in AUT. Thanks, Vinay

Vinay | Last updated: Oct 26, 2020 06:09PM UTC

Additional clarification: - I don't want to completely exclude '/myWebApp'

Vinay | Last updated: Oct 26, 2020 09:00PM UTC

One more clarification/information -- I am using Professional 2.1.07 edition. So please advise for solution accordingly.

Liam, PortSwigger Agent | Last updated: Oct 27, 2020 09:06AM UTC

Vinay, I don't think this is currently possible in the same task. You could run one task without External Service Interaction. Then, run a separate task with just External Service Interaction and ignore certain insertions points. - https://portswigger.net/burp/documentation/desktop/scanning/audit-options Would this satisfy your requirements?

Vinay | Last updated: Oct 27, 2020 03:39PM UTC

Thanks Liam for suggestion - this may work when perform manual scan. Unfortunately, this was (External Service Interaction) was one of the example of such. We have different endpoints w/ different types of attacks that causes false-positive (or we just want to suppress issues - based on expected behavior of the application). Creating separate task for each such cases and maintaining them would be a challenge. Thanks, Vinay

Liam, PortSwigger Agent | Last updated: Oct 29, 2020 02:48PM UTC

Vinay, we've added a story to our development backlog to allow configuration of which scan checks to run on a per-URL basis. Unfortunately, we can't provide an ETA.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.