Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

invalid URL to scan - on IPv4 address for crawl and audit scan

Ads | Last updated: Mar 19, 2024 01:41PM UTC

issues running burp suite crawl and audits on IP addresses/custom ports and trying to identify what i am doing wrong here? i have a container running on `http:0.0.0.0.0:4000` which i'm proxying traffic to it (working) but when i try to perform a crawl and audit and get `invalid URL to scan` error, my "URL's to scan" section looks like: ```markdwn *** http://0.0.0.0:4000/ ``` underneath, i have Advanced Scope Control also set.. tyia! setting `localhost` works, but they are not always the same and unique network entities

Ads | Last updated: Mar 19, 2024 03:05PM UTC

my understanding of the (***'s) also: > When Burp Suite adds three asterisks (***) at the beginning of a URL, it typically indicates that the URL is a relative URL rather than an absolute one. This means that Burp Suite has encountered a link or resource within an application that does not include the full URL but only a partial path. > For example, if Burp Suite discovers a link on a webpage that points to another page within the same application, it might represent it as a relative URL. In such cases, the asterisks indicate that the protocol (http:// or https://) and domain part of the URL are not specified and are inferred to be the same as the current location. > Here's how it works: > Absolute URL: http://example.com/page1 > Relative URL: ***/page2 > In this example, if the current page is "http://example.com/page1" and there's a link to "page2", Burp Suite would represent it as "***page2" to indicate it's relative to the current domain. > When Burp Suite encounters such relative URLs during scanning or crawling, it typically resolves them relative to the base URL of the application being scanned.

Syed, PortSwigger Agent | Last updated: Mar 19, 2024 03:40PM UTC

Hi Ads,

Security scanners, browsers, and other tools report 0.0.0.0 as an invalid URL for accessing or scanning because they require a legitimate, routable IP address to form a network connection. They're designed to communicate with specific hosts, and 0.0.0.0 does not provide the necessary information on where to send the request.

To make a network connection, Burp too requires a valid IP address and if the app is hosted locally, then either 'localhost' or the loopback address '127.0.0.1' should work.

The reason why Burp adds three *s in front of a URL is because it is an invalid URL.

Ads | Last updated: Mar 19, 2024 03:59PM UTC