Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

My active scans ends almost instantly.

William | Last updated: Aug 05, 2020 04:23PM UTC

I've got a problem. Before I came to Burp Suite. I tested Zap Owasp on several sites. Now I want to do the same with Burp Suite so I can compare the results. Here's my approach. To launch an attack, I click on my target that I previously enriched manually and with the crawl. I configure my active scan with a library that seems complete and then I add the different user accounts for the login page. Finally I launch the scan. Then this one finishes almost instantaneously each time. I can try several libraries by default, put them all at the same time, nothing to do. The scan is done instantaneously. I have the impression that it doesn't manage to connect. Maybe he can't recognize the login page. I know that on Zap Owasp you had to indicate the POST request to connect and the parameters. Also, it took at least an hour for the tests to finish. I find the difference in execution time very suspicious and in any case the number of requests made is clearly not the same of course. Do you have any idea where my problem could come from? I hope to ask my question on the right forum. Thank you in advance for your help.

Ben, PortSwigger Agent | Last updated: Aug 06, 2020 09:44AM UTC

Hi, On a general note, are there any warning/error messages being displayed in the Event log section of the Dashboard tab within Burp that might indicate any issues? Once you have initiated the scan it should then create a separate item under Tasks (also on the Dashboard tab). If you click the View details link for this task and then look at the Details, Audit items and Event log tabs they should provide you with specific information on the scan itself. It might be useful if you could take screenshots of these and send them in an email to us at support@portswigger.net. Finally, are you able to provide us with any details of the sites you are trying to test? I assume, by the sounds of it, you had no issues accessing the sites from your browser whilst also proxying with Burp? Do you know what kind of authentication the login pages are using? Do you know whether the site is JavaScript heavy?

William | Last updated: Aug 06, 2020 02:33PM UTC

Indeed, when I went there, I could see that only my "root" target that I had filled in was analyzed (in "audit items" it only shows me a URL). It didn't try to connect, nor to access the branches in the tree. So I went back to the page to run a scan. I saw that when I choose "crawl and audit" it only shows me the root in "URLs to scan". I thought it was taking into account the whole tree structure. Anyway I don't see any way to add all the URLs in my tree automatically. When I put "Audit selected items", this time it puts all the URLs but I can't fill in the login information in the "Application login" part. So, I don't see how he can connect during the scan. I launched the scan to test and it is indeed the case (in "Event log" it tells me that it has several connection failures). However, for the first time, the scan lasts a while (not surprising considering that before it only analyzed one URL). What is the right way for him to be able to connect automatically during the active scan with all the login/password I gave him? As for the details of the site I'm working on, it's only made with Angular and NodeJS. I hesitate to give you more information because I don't know if I have the right. I would do it by mail (in private) if necessary. Otherwise I have no problem to access my site through my browser using a Burp proxy. Thank you very much for your help.

Ben, PortSwigger Agent | Last updated: Aug 07, 2020 09:53AM UTC

Hi, With the Crawl and Audit option, Burp takes the base URL and then tries to crawl (discover content) and then audit the discovered content from that URL. So, for example, if you selected the http://www.example.com URL from your site tree this would be the entry point that it would look for further content from whereas if you selected http://www.example.com/furtherpath this would be the entry point. If you select the Audit option then it will populate the scanner with the URLs that have already been discovered (that is why you have multiple URLs in the list with this option) and then tries to audit these. The audit will use the session information that has been previously been generated by your manual browsing. It is possible, if the session mechanisms expire or have other protections, that the authentication will no longer be valid at the time when you attempt the audit. It sounds like you might be better to perform a completely fresh scan of the site using the Dashboard -> New scan functionality. This will mean that Burp crawls for content from the base URL and also performs its own authentication for session handling (you need to configure this within the Application login section of the New scan screen). In addition to this, we have also been developing what we call an embedded browser that will give better coverage when using Burp against more modern technologies. You might have a better experience using this with your Angular/NodeJS site. By default this is switched off but you can enable it by creating a new Crawl configuration and selecting "Yes" for the "Use embedded browser for Crawl and Audit (Experimental)" option under the Miscellaneous section. You just need to save this configuration and then supply it in the Scan configuration screen within the New scan window.

William | Last updated: Aug 07, 2020 02:01PM UTC