Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

How to only scan once for one url or one host

bit4woo | Last updated: Jul 26, 2018 01:07PM UTC

in some situation, the scanner only need send one request per one URL or one host to detect the vulnerability. but doActiveScan function in IScannerCheck called per insertPoint. that's say:doActiveScan called multiple times for one URL or one Host. any method can do this? thanks.

PortSwigger Agent | Last updated: Jul 26, 2018 01:29PM UTC

You could implement some code in your extension to do this. Keep a HashMap of all the URLs already scanned, and check this before calling doActiveScan. doActiveScan will do exactly what you tell it - it does no de-duplication. This is useful as sometimes a URL is only exploitable depending on a parameter in the request. The Burp UI does do some de-duplication - if you launch a scan of multiple requests, the Active Scan Wizard appears and provides the option of several de-duplication strategies.

Burp User | Last updated: Jul 27, 2018 01:30AM UTC

Hi Paul, thanks for your reply, I have checked the method in J2EEScan(https://github.com/portswigger/j2ee-scan). it's not work correctly in the framework of J2EEScan. but maybe useful in other code framework. thanks for your idea. to test the method in J2EEScan: I changed the class to print some string when it be called. https://github.com/PortSwigger/j2ee-scan/blob/master/src/main/java/burp/j2ee/issues/impl/JBossAdminConsole.java a further more question: when to clear the HashMap ? if I use it. I think it will be bigger and bigger to eat my computer memory in entire lifetime of burp suite.

PortSwigger Agent | Last updated: Jul 27, 2018 09:13AM UTC