Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Help reading reports better to verify issue with manual scanning

Adam | Last updated: Sep 22, 2017 06:21PM UTC

After I finished scanning a website, I use the Burp suite reporting tool and save the file with a html file ext. When I going over the reports and someone asked me to verify that issue. The issue is part of filename multipart parameter attribute. I am having trouble putting the exact weblink to test like SQL or XSS issue that is listed as severity high confidence firm in the request part of the report post data Post /XXX/A/WHY? there is where issue listed Content-Disposition: form-data; name=XXX' how do I use the report information to do manual testing?

PortSwigger Agent | Last updated: Sep 25, 2017 08:47AM UTC

Hi Adam, Thanks for you message. Normally you can copy the request from the report and paste it into Repeater. Sometimes requests contain cookies that have expired. If you login to the web app using your browser, and Burp as a proxy - Burp will get a fresh session cookie. By default these are not applied to Repeater, but you can turn this on in Project options > Sessions > Use cookies from Burp's cookie jar > Edit > Scope Also, I suggest you keep the project file for each assessment you do, rather than relying on the report. Please let us know if you need any further assistance.

Burp User | Last updated: Sep 25, 2017 04:12PM UTC

Hey Paul, I just try to copy the information from the report in repeater. I can see after I select Go and fill out the hostname and port, that Params tab does fill out. I did change the setting you pointed out for cookies. I also remove all the other fields that are not in question. Then I select go again I get a response, with all new areas that are required to renew when trying to access this part of the website. I was still trying to get, how the url will look like when I need to manual test, I try the from the BAstore Logger++ it did not record anything. Then I thought why not try to right click to see what options come, then i select the sqlmapper and sentinel as well. They fill out all the information I need. SQLmap show me how the it would look in a url for manual testing. I have not save project file for a webscan, I will do that next scan I can to see what I can do with it if I need to manual scan something. Thanks Paul

PortSwigger Agent | Last updated: Sep 27, 2017 08:59AM UTC