Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

IIS 7.5 crashes when actively scanning website

Adam | Last updated: Nov 03, 2016 07:25PM UTC

Needing help with a issue I have been having for a while. This is issue only happens on the test server, it does not happen on production server at all. The issue I having is when I am actively scanning after about 20 items the website stops working, then burp suite alter says timeout from the website The normal fix for this issue is to restart the IIS service on the test server. then the website starts working again no issues until I reach that 20 item mark again. I am going to list the steps for more information on troubleshooting I open Burp Suite Pro v 1.7.09( same issue with the earlier versions) I open the internal website I add the website to the scope I spider the website ( wait for it to finished) Then I try to select the whole website to actively scan this host (after 20 items crash) Also have try to select parts of the website that do not have 20 items to scan no issue until I get to 20 items. I can scan any part of the website no issues Also I have turn on to specific to scan only in scope items, I do not use static code analysis option

PortSwigger Agent | Last updated: Nov 04, 2016 01:47PM UTC

Is this test server suitably specced to support a full active scan? It is common that test or staging systems are only specced for low-volume manual interaction but don't cope well with higher volume traffic.

Burp User | Last updated: Nov 04, 2016 03:21PM UTC

Well Dafydd from what I was told that this is the case but it is looking that is not the case. I know there is a difference of hardware from production vs test but far as software it is suppose to be the same. There is a setting or log I can have the server team to look at to see if this the case. Thank you for the help on this.

PortSwigger Agent | Last updated: Nov 04, 2016 04:18PM UTC

It's possible the hardware difference will account for the problem, if the machine is overloaded. You could monitor performance metrics during the scan to see if that might be an issue.

Burp User | Last updated: Nov 04, 2016 06:20PM UTC

OK Dafydd, I will have the server team do a monitor of performance metrics during the next scan Thank you for the help on this !!

Burp User | Last updated: Nov 04, 2016 08:55PM UTC

I had the server team member do resource monitor while I was scanning. the CPU was peak at 99% Network was Peak as well, memory still have room was not peak but at 75% All the application that where running, when the scanning was right still there processing % just went to 0% Right before timeout from the burp suite pro program the all the resource went down and stop. Is there something in a log somewhere I can look at to see something.

PortSwigger Agent | Last updated: Nov 07, 2016 10:03AM UTC

It looks like the server is being completely overwhelmed during the scanning, since various performance metrics are at or close to 100% usage, and this is eventually causing the application to stop responding, at which point Burp reports timeouts. We would recommend reducing the thread count in the Scanner options, or increasing the specification of the test server.

Burp User | Last updated: Nov 07, 2016 08:57PM UTC

Dafydd, are you talking about number of threads in the Active Scanning Engine area should I use Throttle between requests to? I have request the test server specification to be increase. Thank you for the help on this!!!

PortSwigger Agent | Last updated: Nov 08, 2016 08:50AM UTC

Yes, you can reduce the thread count in the active scanning engine options, as the first fix. If that fails, you can try throttling requests but that will significantly slow down your scanning.

Burp User | Last updated: Nov 08, 2016 03:48PM UTC

Ok, Dafydd update but not a good update still waiting on the specs upgrade since I was waiting on the upgrade I want to try the scanner options In the Active Scanning Engine I change Number of threads to 5 and Throttle between requests (milliseconds): 500 reset is default with in 30 mins connection scanning timeout also only complete 6 this is a big step backwards from 20 to 6 any ideas

Burp User | Last updated: Nov 08, 2016 06:03PM UTC

Update Dafydd I ran the same scan expect Throttle between requests (milliseconds): 500 listed above only difference i got 19 finished I did notice that one that had over 600 requests did not finished and started to slow down when it got to 90% finished then rest of scans started to slow down and then all stop Thank you for helping with this Dafydd

PortSwigger Agent | Last updated: Nov 09, 2016 09:47AM UTC

With this revised configuration, did the application stop responding the same as before? If so, then that is where you need to look to understand why the problem is happening. It's possible that a request to a particular URL, or containing a particular payload, is causing the server-side application to lock up, so we would suggest investigating whether something like that is the cause.

Burp User | Last updated: Nov 09, 2016 05:00PM UTC

Dafydd it does not fail at the same spot it is different each time. This morning I did a test with server team member set the thread count to 3, it only finished 15 items The server team member found this error code Event Code 3005 I going to look into this today

Burp User | Last updated: Oct 12, 2019 06:16PM UTC

@Adam: Was this issue resolved and how?

Burp User | Last updated: Oct 15, 2019 07:05PM UTC

Issue was never resolved

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.