Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

New Filter Request Type Option: Show only out-of-scope items

Jay | Last updated: Apr 25, 2024 08:38AM UTC

The filter option to to display only in-scope items is great, it would however also be beneficial to have the ability to filter for the opposite. Regrettably, utilizing the in-scope filter option with a negative search does not produce the desired outcome. Therefore, it would be advantageous to incorporate this functionality into the negative search feature or include an option to 'Show only out-of-scope items' in the filter settings.

Hannah, PortSwigger Agent | Last updated: Apr 25, 2024 10:24AM UTC

Hi Are you looking to identify traffic that has been explicitly excluded from your scope, or any traffic that is not explicitly defined as included in scope?

noraj | Last updated: Jul 08, 2024 01:44PM UTC

In general, we should have negative filters. In terms of UI, the best to not make the UI heavy would be to use a tri-state checkbox (https://github.com/MatijaNovosel/tri-state-checkbox). It's often used in advanced search or filtering feature on mobile app. If we take the "Show only in-scope items" example, not checked = no filtering (value = null), if checked = it shows only in-scope items (out of scope are hidden) (value = true), and then we could introduce a third state (value = false) if negative check = it shows only out-of-scope items (in-scope are hidden). Such a filter to show only out-of-scope items is useful when you want to remove all out-of-scope items from your history (e.g. traffic generated before adding a scope). The same could apply to "Show only parametrized requests". PS: I guess out-of-scope means not included in scope + explicitly excluded from scope if any. I know now there is Bambda mode that gets priority in dev, but 1. In this case "Convert to Bambda" works for "Show only parametrized requests" but not for "Show only in-scope items", so it seems there is no way to do that with Bambda. 2. Bambda may be useful for powerful filters that can be cooked for hours, then saved and re-used multiple times, but it's quite unintuitive and not made for quick prototyping / filtering. So better have this feature also in setting mode. Video example of app with tri-state search for implementing negative filtering: https://youtu.be/4yw3r76y7M4?feature=shared&t=242

noraj | Last updated: Jul 08, 2024 01:52PM UTC

Update : It's possible to implement the out-of-scope filter with Bambda: return requestResponse.request().isInScope() == false; It's just that the "Convert to Bambda" from the setting mode doesn't work for "Show only in-scope items".

Hannah, PortSwigger Agent | Last updated: Jul 08, 2024 02:41PM UTC