Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Ignore Insertion Points

Anthony | Last updated: May 17, 2021 02:12PM UTC

Many of the extensions that I use don't ignore parameters that I have specified in the scan settings, specifically "ignore insertion points". Is there an API that extensions can use to read that config setting and act appropriately?

Uthman, PortSwigger Agent | Last updated: May 18, 2021 10:24AM UTC

Hi Anthony, Can you provide an example of an extension doing this? Are the extensions registering an IScannerInsertionPointProvider? This is automatically invoked when Burp Scanner is auditing a request. IScannerInsertionPointProvider.getInsertionPoints() will determine what insertion points are generated for that specific request so you could add some logic to an existing extension to first retrieve the insertion points, and then remove/ignore the ones you are not interested in.

Anthony | Last updated: May 18, 2021 02:37PM UTC

Thanks for the response. I understand that getInsertionPoints will return a list of insertion points. In burp scanner, I often specify a list of parameters that I don't want to be scanned. For example, __viewstate form param or __utm* cookies. Does getInsertionPoints take into account the parameters that I do not want to scan?

Uthman, PortSwigger Agent | Last updated: May 20, 2021 09:31AM UTC

Hi Anthony, If you add the parameters to Ignored Insertion Points > Skip all tests for these parameters, does your issue persist? Ignored Insertion Points should be taken into account even if an extension is interacting with the active scan. If the issue persists, can you please email support@portswigger.net with more information? (steps to replicate, an extension that causes this issue, and screenshots)

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.