Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

How Do I configure Burp Enterprise Scope with more than one URL?

Justin | Last updated: Jan 30, 2021 12:30AM UTC

When configuring a new site in Burp Enterprise there are 3 options for Scope: Site URL, Include URLs, and Exclude URLs. However, only the Site URL talks about "All subdirectories of this URL will be scanned by default" How do I have a site scanned that pulls info from another Server? For instance we log in with URL long: urlname.com\tenantname\somerandomtenantspecificcharaterstring but all of the data is pulled from a secondary server that needs to be in-scope as well. and that server has a hierarchy all of its own. (so not just one directory.) Also, I am having to use the recorded login sequences to get past our SSO. Do I put the secondary server in the site URL? or the login site?

Michelle, PortSwigger Agent | Last updated: Feb 01, 2021 12:10PM UTC

Thanks for your message. Would the login page be the starting point for the scan or are there other areas to be included before hitting the login page? When the data is pulled from the secondary server are all URLs then ones that are on the secondary server or will the navigation keep swapping between the two URLs? Could you email us some screenshots/example URLs of how the site is navigated to help us get a better understanding of the setup and help us see what options are available, please? You can contact us directly using support@portswigger.net.

Justin | Last updated: Feb 01, 2021 06:12PM UTC

I apologize but am not permitted to show the URLs or screenshots, I can, however, describe them. We login to the main site that hosts multiple apps in the main menu. When you click on a specific app in the main menu the URL in the browser bar does not change, the login info from the main site is transferred to the app and verified, and all of the data for that App is referred from other servers specific to that app. My expectation is that I put the app-specific server in the Site URL then include the login page in the Include URLs bar. I have a couple of questions on how the setup page is worded. Are the "Include URLs" treated as in scope? Can I have multiple TLDs in scope? Does Burp Enterprise spider all pages down from the included URL or just the specific URL? How can I see the results from what Burp Pro spidered?

Justin | Last updated: Feb 01, 2021 06:12PM UTC

Correction on the last line in the previous post, I meant to say Burp Enterprise, not Burp Pro.

Michelle, PortSwigger Agent | Last updated: Feb 02, 2021 04:01PM UTC

Don't worry about the screenshots, I completely understand. If you go directly to the URL of the specific app, are you redirected to the login page if you're not already logged in? (I'm just trying to make sure I'm picturing the functionality correctly then I'll try and address all your questions from the previous post in one go)

Justin | Last updated: Feb 02, 2021 05:41PM UTC

Q-If you go directly to the URL of the specific app, are you redirected to the login page if you're not already logged in? A- Unfortunately no. the App server handles multiple tenants so you cannot log in directly to the app server. The way that we handle this is we have a specific login URL that can go straight to the App but it is not on the main app server. we log in from here: https://subdomain1.companyname.com/tenant_name/61c3b104-g5c1-6b48-8ec4-c3a8eb363f79 However, we also want a secondary URL in scope. https://subdomain2.companyname.com/ (notice the change in the subdomain.) With Burpsuite Pro I can use a regex to tell it to include all subdomains, but don't see how to configure this with Enterprise.

Michelle, PortSwigger Agent | Last updated: Feb 05, 2021 10:27AM UTC

Sorry for the delay in getting back to you. If you add https://subdomain1.companyname.com/tenant_name/61c3b104-g5c1-6b48-8ec4-c3a8eb363f as the site URL and then add https://subdomain2.companyname.com/ as a secondary URL under Included URLs Enterprise will scan everything under the subdomain (so are treated as being in scope) and you can add multiple URLs. The list of URLs scanned will be displayed once the audit has been completed (rather than viewing the URLs that have been crawled). As I’m writing this though I notice that you mentioned you were using regex to achieve this in Burp Suite Professional, was this just a way to shorten the list of URLs you needed to list under Included URLs?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.