Burp Suite User Forum

Create new post

Get all payloads for scanner?

Danny | Last updated: Jan 03, 2018 10:40AM UTC

Hi, Is it possible to get all the payloads from Scanner? And this list should also be categorized per individual issues. Basically, I want to be aware of exactly what payloads will be put in the target requests before I perform the actual scan. Usually I test acceptance and testing environments but when doing it on production I am very cautious of using Burp scanner, as I should be of course. But this often leads to not using it at all and only performing manual testing which, in my opinion, is inefficient. I would like to know exactly what will Burp do when I, for example select OS command injection, what payloads will be used and does changing the detection method influence the selection of payloads? I kinda feel that this could be considered proprietary information but I think as a tester I should be able to get this information. I like that Burp gives you total control over how Scanner functions and I really like the new categorization and fine grained control over the issues that I am scanning for. But total control without knowledge of the underlying mechanisms is kinda fake total control. If I enable Unidentified code injection which is labeled as Intrusive I should be able to know exactly what payloads will be sent to the server before I actually execute the scan. I am aware it is possible to perform scan on some dummy page and gather all payloads through the Logger++ but this means I would need to do this every time Burp gets update. And if any payloads are dynamically created then this will not be a complete list because it then depends on my dummy page. Thanks for your time, Danny

PortSwigger Agent | Last updated: Jan 03, 2018 11:01AM UTC

Hi Danny, Thanks for your message. It isn't possible to see a payload list for Active Scanner. The Scanner is not a simple payload sender like Nikto or other tools. The payloads are adaptive; Burp will vary what is sent based on earlier responses. Monitoring the Scanner with an extension like Flow or Logger++ is the best way to get an idea what it's doing. What you could potentially do is chain two instances of Burp. Run Scanner in the downstream Burp. Use Intercept in the upstream Burp. Then you can forward or drop messages as you see fit. I'm not aware of any other testers working in this manner though. It sounds like you would spend so much time avoiding risk to the server that it reduces the thoroughness of your test. Instead, I'd recommend either testing in a pre-prod/dev environment, or pre-warning the client that there's a small risk of damage. Your suggestion about categorizing is interesting. What sort of categories would you be looking for? We already have the filters to do this to some extent. Please let us know if you need any further assistance.

Burp User | Last updated: Jan 04, 2018 07:30AM UTC

Hi, Thank you for the answer. Didn't mean anything by categorization, was just referencing to the new granular way of selecting what scans the Scanner will perform. Best regards, Danny

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.