Burp Suite User Forum

Login to post

Is there a way to know for sure that my site has been fully scanned using Enterprise?

Todd | Last updated: Feb 22, 2021 07:58PM UTC

I have two SPA's and have provided login creds for both. When the scan report comes back it always only shows the top level "/" url having been scanned (besides some js and css files it found). I am not sure if it is really trying to hit call other urls? Or if it is even possible since its a SPA. For the scans I usually see around 165 requests and around 3 insertion points... I understand there are no real assets at any other urls. Was just wondering how I could be confident that this is the best I can do with the tests. thanks!

Liam, PortSwigger Agent | Last updated: Feb 23, 2021 04:34PM UTC

Todd, it doesn't sound like Burp's crawler is effectively mapping your application. We are currently working on enhancing this feature. Do you have a copy of Burp Suite Pro to perform a debug crawl?

Todd | Last updated: Feb 25, 2021 02:21PM UTC

We have downloaded pro and will be installing it in our azure environment soon. Your support had given me a temp license to run crawls for another issue but that temp license has already expired before we have installed pro. Could you please extend my temporary license so we can run this in a few days? Thanks!

Liam, PortSwigger Agent | Last updated: Feb 26, 2021 09:07AM UTC

Sure, I've provided an extension. Could you email us with the crawl logs? These can be enabled via the cog button in the crawl Optimization settings. (support@portswigger.net)

You need to Log in to post a reply. Or register here, for free.