Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

How do I manual add a vulnerability

Stoffel | Last updated: Feb 10, 2015 01:16PM UTC

Using the intruder functionality, i saw the application was vulnerable to a XSS (with a custom payload). Active/Passive Scan doesn't find it. So I have a hit but how can i flag this payload/result with this params as a match within the scanner result (or other place to be able to include this match into the final report) (and of course flag this with a type of XSS vuln and the relevant advisory) ? Thank you!

PortSwigger Agent | Last updated: Feb 10, 2015 01:44PM UTC

You can't currently create manual issues in the scan results. This feature is in our roadmap, and we hope to have it available later this year.

Burp User | Last updated: May 19, 2015 03:52AM UTC

Hello, Do you have an approximate release data for this feature? I find myself needing it quite a bit for manual issues I discover. For now, I hack together my own HTML report that parses your output plus my own into a new file. It would be sweet to have this built-in. Thanks!

PortSwigger Agent | Last updated: May 19, 2015 08:20AM UTC

We can't promise an ETA yet, but initial work to lay the groundwork for this feature in underway. There are several related capabilities that we will implement together (yet to be announced), so it will probably be completed at least 3 months from now, but hopefully not too long after that.

PortSwigger Agent | Last updated: Feb 18, 2016 05:17PM UTC

Apologies for the delay on this feature - we've been busy with other things. User-generated manual issues are very much in our roadmap and we hope to deliver the feature soon. FYI the Manual Scan Issues extension in the BApp Store does provide this feature, in the meantime.

Burp User | Last updated: Mar 23, 2016 10:08PM UTC

Hello, any news about this feature? As you know, during a pentest it is very common to find issues manually and it would be great to have the possibility to add them using the built-in issues list of Burp. Thank you

Burp User | Last updated: Oct 06, 2016 01:07AM UTC

IMHO, the best option is to add a menu entry in Proxy / HTTP History. I'd name it "Send to Scanner / Issue Activity" and put it right next to "Send to Intruder". Resulting action should be that a new dialog pops-up (like the Manual Scan Issues extension) and prefilled from the selected payload (Host, Path, Request, Response).

PortSwigger Agent | Last updated: Oct 06, 2016 07:25AM UTC

We don't currently have an ETA for this feature, sorry. We'll investigate the issue with Manual Scan Issues and update this thread.

Burp User | Last updated: Mar 22, 2017 03:38PM UTC

Hi, Any updates on when this feature will be rolled out? It appears that the latest version of "Manual Scan Issues" plugin does not work with the latest version of Burp Suite Professional v1.7.19. Help is greatly appreciated!

Adam, PortSwigger Agent | Last updated: Mar 22, 2017 05:02PM UTC

Hi Lucas, The Manual Scan Issues extension has been updated and works both on the Issues tab and also the Messages tab now too.

Adam, PortSwigger Agent | Last updated: Mar 24, 2017 05:05AM UTC

Hi Lucas, We don't maintain this extension, but we'll pass along these suggestions to the author. Hopefully the extension source will soon be available and welcoming contributions.

Burp User | Last updated: Apr 03, 2017 01:48PM UTC

Thanks for the quick turnaround! Not sure if this is the appropriate venue for this request. But it would be amazing if: 1. The "Add Issues" menu item automatically added the request and response to the issue. 2. There was a dropdown menu item in the ManScanAdd window to choose from a list of pre-populated issues. 3. There was a way to add/edit/delete the pre-populated issues from item #2. Thanks!

PortSwigger Agent | Last updated: Apr 07, 2017 09:54AM UTC

Hi Jaike, We've added the ability to add scan issues to the extender API. So you can use an extension - either "Manual Scan Issues" or the newer "Add & Track Custom Issues". We do intend to eventually have a native feature for this, although that's not a priority at the moment.

Burp User | Last updated: Apr 10, 2017 10:51AM UTC

Thanks!

Burp User | Last updated: May 23, 2018 03:02PM UTC

Please advise on when this can be added given the number of assurances provided over the past few years that it was a priority item.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.