Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

I'm getting errors while using Burpsuite against the OWASP benchmark.

sanmay | Last updated: Jun 20, 2023 02:36PM UTC

When running the Burp Suite scan against the OWASP benchmark, I am only receiving an "input retired in response" error, and I'm not getting any further results. I have tried to troubleshoot this problem, but I haven't been successful so far. I think it appears that Burp is only crawling the static HTML pages, and it's not actually testing/attacking the actual pages. Before scanning the Owasp benchmark I used Burpsuite to scan the mutillidae web app and I got proper results. On top of it, I also used ZAP to scan the benchmark and ZAP gave the expected results. Could you kindly provide guidance or suggestions on how to resolve this issue?

Dominyque, PortSwigger Agent | Last updated: Jun 21, 2023 06:55AM UTC

Hi We have deployed the same app and run some tests for you. Just to point out, OWASP Benchmark appears to be a legacy HTML app and not comparable to a real-world modern web application, and it does not contain realistic vulnerabilities (which Burp's automated scanner is designed to test). There may also be some quirks around the structure/navigation of this app that may impact the results. OWASP themselves mention, even when scanning it with their products, to scan individual sections rather than the entire app at once due to an issue with the app. In our test scan of this app, we had to split the app down into sections to scan to get optimal findings. Two recommendations on deliberately vulnerable alternatives to consider: - [https://vulnerable-website.com/](https://vulnerable-website.com/) - developed independently by our industry-recognized research team. It contains realistic vulnerabilities and is designed to test any automated scanner without bias towards or against any specific tool, including Burp's scanner. It is modern, JavaScript-heavy and features some SPA front-end components, traditionally difficult for an automated scanner to cover effectively. The list of featured vulnerabilities can be found here: [https://vulnerable-website.com/vulnerabilities](https://vulnerable-website.com/vulnerabilities) - Alternatively, if you would like to use an open-source, deliberately vulnerable web app created by a third-party research project, that you can deploy in your own environment and inspect the source code. [https://github.com/NeuraLegion/brokencrystals](https://github.com/NeuraLegion/brokencrystals) - a modern web app with a React SPA front-end and NodeJS backend with Swagger API. However, if you would prefer to continue with OWASP Benchmark: - OWASP Benchmark is a very static web app. If you do want to continue with this scan target, I recommend applying a scan configuration with the "Crawl strategy" set as "Fastest", which works best for static content. Please let me know if I can help with anything else during your evaluation.

sanmay | Last updated: Jun 21, 2023 11:51AM UTC

I recently conducted a scan using the OWASP Benchmark project with the "Fastest" crawl strategy, as suggested. However, I encountered the same results as before. Can I say these unexpected results are due to the OWASP Benchmark project may not contain realistic vulnerabilities and cannot be directly compared to modern web applications in the real world as you said previously? Consequently, Burp Suite's automated scanner, which is designed to effectively test real-world applications, may not be as successful in identifying vulnerabilities in the OWASP Benchmark. To further validate this, I decided to scan the Mutillidae web application and Gin&Juice shop application using Burp Suite, and I'm pleased to report that Burp Suite correctly identified vulnerabilities in Mutillidae and Gin&Juice shop applications. In conclusion, because the OWASP benchmark does not contain realistic vulnerabilities (which Burp's automated scanner is designed to test) burpsuite showed unexpected results. Is this what happened in this situation?

Dominyque, PortSwigger Agent | Last updated: Jun 22, 2023 07:13AM UTC