Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

How to prevent scanner from accessing out of scope items?

Wes | Last updated: Sep 07, 2021 09:50PM UTC

When I set up a scan with a defined scope, the scanner is accessing resources that are out of scope. Simple example workflow: 1. Start a new temporary project 2. Add "https://example.com" to the target scope 3. Create a new scan with these settings: a. Scan type: Crawl and Audit b. URLs to scan: https://example.com c. All other options at default After I start the scan, I can immediately see in the logger that the scanner is accessing external domains that are linked from the target site (such as Facebook, Google, CDNs, etc.) What's the best way to tell the scanner to ONLY access in-scope items? Do I have to use Project Options / Out-of-Scope Requests / Drop all out-of-scope requests, or is there another way to do this for only the scanner?

Michelle, PortSwigger Agent | Last updated: Sep 08, 2021 09:39AM UTC

Thanks for your message. During the crawl phase of the scan, you can choose whether or not you want the crawl to load site resources from out-ot-scope hosts. Scan configuration -> Crawl Configuration -> Miscellaneous -> Embedded browser options -> Load site resources from out-of-scope hosts Please let us know if this helps.

Wes | Last updated: Sep 08, 2021 12:27PM UTC