Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

invalid URL to scan - on IPv4 address for crawl and audit scan

Ads | Last updated: Mar 19, 2024 01:41PM UTC

issues running burp suite crawl and audits on IP addresses/custom ports and trying to identify what i am doing wrong here? i have a container running on `http:0.0.0.0.0:4000` which i'm proxying traffic to it (working) but when i try to perform a crawl and audit and get `invalid URL to scan` error, my "URL's to scan" section looks like: ```markdwn *** http://0.0.0.0:4000/ ``` underneath, i have Advanced Scope Control also set.. tyia! setting `localhost` works, but they are not always the same and unique network entities

Ads | Last updated: Mar 19, 2024 03:05PM UTC

my understanding of the (***'s) also: > When Burp Suite adds three asterisks (***) at the beginning of a URL, it typically indicates that the URL is a relative URL rather than an absolute one. This means that Burp Suite has encountered a link or resource within an application that does not include the full URL but only a partial path. > For example, if Burp Suite discovers a link on a webpage that points to another page within the same application, it might represent it as a relative URL. In such cases, the asterisks indicate that the protocol (http:// or https://) and domain part of the URL are not specified and are inferred to be the same as the current location. > Here's how it works: > Absolute URL: http://example.com/page1 > Relative URL: ***/page2 > In this example, if the current page is "http://example.com/page1" and there's a link to "page2", Burp Suite would represent it as "***page2" to indicate it's relative to the current domain. > When Burp Suite encounters such relative URLs during scanning or crawling, it typically resolves them relative to the base URL of the application being scanned.

Syed, PortSwigger Agent | Last updated: Mar 19, 2024 03:40PM UTC

Hi Ads,

Security scanners, browsers, and other tools report 0.0.0.0 as an invalid URL for accessing or scanning because they require a legitimate, routable IP address to form a network connection. They're designed to communicate with specific hosts, and 0.0.0.0 does not provide the necessary information on where to send the request.

To make a network connection, Burp too requires a valid IP address and if the app is hosted locally, then either 'localhost' or the loopback address '127.0.0.1' should work.

The reason why Burp adds three *s in front of a URL is because it is an invalid URL.

Ads | Last updated: Mar 19, 2024 03:59PM UTC

hey @Syed, thanks for the detailed explanation, this makes sense!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.