Burp Suite User Forum

Create new post

How do I check out malicious input Database that Burp Suite Scanner uses for different attacks?

Vinaya | Last updated: Sep 26, 2016 09:09AM UTC

I have bought Burp Suite Scanner and I was analysing it. I checked for various vulnerabilities it detects by trying out various attacks. I want to check the list of malicious inputs it uses to inject in the fields. for eg. Burp finds out XSS at one location by trying out certain input string. Could I get to know the list of input strings it tries?

PortSwigger Agent | Last updated: Sep 26, 2016 09:31AM UTC

There isn't actually a "database" of malicious inputs that Burp uses. The Scanner doesn't operate by iterating through a preset list of attack strings and simply sending each one. Rather, the majority of scan checks implement a decision-tree logic that emulates the actions of a skilled manual attacker, where an initial input is sent, the result analyzed, and then further more specific and derived inputs are sent based on the earlier observations. This continues iteratively until an issue is confirmed or ruled out. Some inputs are used purely for the purpose of ruling out false positives after some potentially interesting behavior has been observed. The core scanner logic is implemented as a series of state machines with inputs being hard-coded or dynamically generated at various locations in the logic - so there isn't a list that we can or would share, sorry.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.