Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

How to prevent Burp Scan from making POST requests

François | Last updated: Jun 20, 2023 02:03PM UTC

Hello, In order to avoid any unwanted tampering when auditing a Web application, I would like to prevent Burp Scan from transforming my GET requests into POSTs when performing a scan. Which option should I modify to ensure that Burp Scan never sends a POST request without my permission ? Thanks for your help

Dominyque, PortSwigger Agent | Last updated: Jun 21, 2023 08:41AM UTC

Hi The virtue of scanning alone will impact the site. Can we ask what you are worried/ concerned about Burp doing to the site? What outcome are you trying to prevent?

François | Last updated: Jun 21, 2023 12:59PM UTC

I've run a Burp scan on a request to collect information about users referenced on an application. GET /api/customers?itemsPerPage=10 During the scan, Burp transformed the GET request into a POST, moving the URL parameters into the request body, in order to perform a kind of HTTP Request Smuggling vulnerability test. Some of the POST requests were interpreted by the application as the creation of a new user, containing inconsistent data. Although this test revealed the possibility of creating improperly formatted users, I didn't want this behavior to occur. The application doesn't allow me to clean up these incorrect entries.

Dominyque, PortSwigger Agent | Last updated: Jun 22, 2023 09:14AM UTC

Hi As stated in this documentation: https://portswigger.net/burp/documentation/desktop/getting-started/running-your-first-scan, we do not recommend scanning production sites with Burp as it may have unexpected effects on some applications. We recommend using a test version of the site to perform the crawl and audit.

François | Last updated: Jun 26, 2023 02:27PM UTC