Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Excluding an endpoint for specific type of scan attack

Vinay | Last updated: Oct 26, 2020 06:08PM UTC

Is it possible to exclude a specific endpoint to be excluded for only speicific type of scan attack test? E.g. when I perform scan for URL http://foo.company.com, we find two issues at /myWebApp endpoint. Issue-A - Reflective XSS Issue-B - Extern Service Interaction (HTTP or DNS) Issue-A is a valid, however Issue-B is false-positive. How do I set my scan/configuration to exclude "/myWebApp" end-point for future External Service Interaction tests? Note - I would like to continue testing External Service Interaction attacks on my others endpoints in AUT. Thanks, Vinay

Vinay | Last updated: Oct 26, 2020 06:09PM UTC

Additional clarification: - I don't want to completely exclude '/myWebApp'

Vinay | Last updated: Oct 26, 2020 09:00PM UTC

One more clarification/information -- I am using Professional 2.1.07 edition. So please advise for solution accordingly.

Liam, PortSwigger Agent | Last updated: Oct 27, 2020 09:06AM UTC

Vinay, I don't think this is currently possible in the same task. You could run one task without External Service Interaction. Then, run a separate task with just External Service Interaction and ignore certain insertions points. - https://portswigger.net/burp/documentation/desktop/scanning/audit-options Would this satisfy your requirements?

Vinay | Last updated: Oct 27, 2020 03:39PM UTC

Thanks Liam for suggestion - this may work when perform manual scan. Unfortunately, this was (External Service Interaction) was one of the example of such. We have different endpoints w/ different types of attacks that causes false-positive (or we just want to suppress issues - based on expected behavior of the application). Creating separate task for each such cases and maintaining them would be a challenge. Thanks, Vinay

Liam, PortSwigger Agent | Last updated: Oct 29, 2020 02:48PM UTC