Burp Suite User Forum

Login to post

new scan and task dif

afs | Last updated: Oct 08, 2019 02:10AM UTC

may I know the difference between new scan and new live task? in the new scan//scan configuration/crawling/login functions, there are only two checkbox(1) attempt to self-register (2) trigger login failures, where to input credentials?

Burp User | Last updated: Oct 08, 2019 02:15AM UTC

Hi, I find the place to enter password and user name, but the label field is questionable, does label mean url? I need to audit www.abc.com/1, www.abc.com/test , should I create two new scan or two new live task? how to find all urls with input form(requires user to input something) under www.abc.com?

Ben, PortSwigger Agent | Last updated: Oct 08, 2019 07:37AM UTC

Hi, Thank you for your messages. The new live task option is used to perform some scanning operations automatically on requests and responses that are processed by Burp's tools. So, for example, you could set up a new live task that will perform an audit on all the traffic that is processed by Burp Proxy as you manually browse a site. A new scan will target the URLs specified in the configuration independently of any browsing you perform. From your second message it sounds like you have found the correct place to enter the credentials (under the Application Login section of the New scan page). The label field is simply used to identify different credentials so, for example, you might have two credentials that you want to test (a set of administrator credentials and a set of normal user credentials). You could then label one 'Admin' and one 'Normal User' so that you know which is which for any future testing. When you say you need to test www.abc.com/1 and www.abc.com/test, are these areas accessed through different credentials? From your previous questions, you mentioned the need to conduct one authenticated and one unauthenticated scan, is this still the case? If you create a new scan, enter the www.abc.com url in the URLs to Scan section and then add the appropriate credentials in the Application Login section then Burp will automatically find any login pages present in the web application and attempt to login with the credentials you have supplied. If you still require to conduct an unauthenticated scan on www.abc.com then you would create a second new scan, add the url as before but then not add any credentials to the Application login section.

You need to Log in to post a reply. Or register here, for free.