Burp Suite User Forum

Login to post

New Scan says out of scope for in-scope URL

floyd | Last updated: Sep 04, 2018 09:40AM UTC

Hi there, Burp 2.0.3 is telling me that the scope URL I'm defining for a new scan (when clicking the button in the dashboard) is out of scope. URLs to scan: http://192.168.44.32/ Currently defined as scope (advanced scope control) in the "target - scope" tab: Protocol: Any Host or IP: 192.168.44.32 Port: (empty) File: (empty) It only happens when I click "new scan" in the dashboard, not when invoking a scan through the context menu. cheers, floyd

Liam, PortSwigger Agent | Last updated: Sep 04, 2018 10:58AM UTC

Have you tried using the Paste URL on the right hand side of the scope settings?

Burp User | Last updated: Sep 04, 2018 12:04PM UTC

Yes, that works when I add it, but that's not my problem, I think this is still a bug. Let's put this another way. If I define the Host in the advanced scope control as "192.168.44.32", this is technically a regex that has wildcard dots, but should nevertheless match the host "192.168.44.32" as the regex dot wildcards also match string dots. However, it doesn't. Current behavior: Advanced scope of "Host or IP" as "192.168.44.32" -> New scan in dashboard says http://192.168.44.32/ is *not* in scope. Advanced scope of "Host or IP" as "192\.168\.44\.32" -> New scan in dashboard says http://192.168.44.32/ *is* in scope. I would expect that in both cases the URL http://192.168.44.32/ is in scope.

Liam, PortSwigger Agent | Last updated: Sep 04, 2018 12:11PM UTC

We agree Floyd, the scope rules you have set should work. We've tried testing this and have been unable to reproduce the issue. Would it be possible to try downloading a fresh instance of Burp Suite? If you're still encountering the issue, could you ensure performance feedback is enabled and send us your Burp diagnostics? (Help > Diagnostics). Thanks.

Burp User | Last updated: Sep 04, 2018 02:54PM UTC

Yeah im too have this issue. When I click OK for HOST(not IP)? it says *out of scope* in both scan(from context menu and from dashboard). OS: win10 x64 Java: SE8u181 x64 Burp 2.0.3 but when tried from my server, working from only "Dashboard new scan". OS: win 2k8 x64 Java: SE8u181 x64 Burp 2.0.3 In both OS Burp 1.7.37 working normally. Now will try with java se10

Liam, PortSwigger Agent | Last updated: Sep 05, 2018 07:54AM UTC

Thanks for the report Max. Have you tried using the platform installer version of Burp? It comes bundled with it's own version of Java. Does the Paste URL function on the right hand side of the scope settings work for you?

Burp User | Last updated: Sep 05, 2018 12:27PM UTC

No, I did not install the installation version. Only plain jar. Working with *has not been fully tested* alert from java 10 at start. Java: 10.0.2 OS: win10 x64 Burp 2.0.3 Yeah paste URL functrions working. But I can't save Resourse Pools settings settings. I have temporary project with saved options. It will be saved with Project options or User options? Restoring both options can't restore my Resourse pools settings. Java: 10.0.2 OS: win10 x64 Burp 2.0.4

Liam, PortSwigger Agent | Last updated: Sep 05, 2018 12:41PM UTC

Max, we'd recomend using the installer version of Burp Suite. Additionally, we wouldn't recomend using Java 10. Regarding resource pools, currently these can't be saved. Eventually you will be able to save resource pools to the config library.

Burp User | Last updated: Sep 05, 2018 03:37PM UTC

I mean I can't save to config library

Liam, PortSwigger Agent | Last updated: Sep 05, 2018 03:44PM UTC

Hi Flloyd Following the steps provided we've reproduced the issue. We've identified the bug and will work on a fix. Thanks for your feedback, much appreciated!

Burp User | Last updated: Sep 11, 2018 01:05PM UTC

Liam, you are saying you are unable to reproduce? Here's a step by step: 1. Go to "Target - Scope". 2. Check "Use advanced Scope Control". 3. Click "Add" 4. For Protocol: Any 5. For Host or IP: 192.168.44.32 6. For Port leave empty 7. For File leave empty 8. Click "OK" 9. Go to "Dashboard" 10. On the top click the green "+ New Scan" 11. In the "URLs to Scan" text field type "http://192.168.44.32/" 12. Click "OK" 13. Burp will say "Some of the specified URLs to scan are out of scope". I expect this URL to be in scope. Can you please confirm that this does not work for you?

Peter | Last updated: Oct 20, 2020 06:01AM UTC

Was this ever resolved? I've imported about 2400 URLs (Target/Scope/Target Scope/Load), said "yes don't send requests to out of scope items to log etc.", then went to Dashboard/New Scan, Scan Details/Scan Type/Crawl and Audit, Scan Details/Scan Configuration/Select From Library/Never Stop Crawl Due To Application Errors/Crawl Limit - 60 Minutes/Never Stop Audit Due To Application Errors, hit OK and... "Some of the specified URLs to scan are out of scope." Can I get some more details somewhere?

Liam, PortSwigger Agent | Last updated: Oct 21, 2020 08:06AM UTC

Hi Peter, this issue should have been resolved. Could you let us know which version of Burp you are using?

Peter | Last updated: Oct 21, 2020 09:10AM UTC

Hi Liam, I am using Burp 9.2 (burpsuite_pro_linux_v2020_9_2) for Linux. Is there a way to tell WHICH URLs are out of scope?

Liam, PortSwigger Agent | Last updated: Oct 21, 2020 04:50PM UTC

Peter, I'm not sure that this information is available in the Burp UI. We're going to try replicating the issue you are encountering and we'll get back to you ASAP.

Liam, PortSwigger Agent | Last updated: Oct 23, 2020 07:38AM UTC

Would it be possible to provide a screen record demonstrating the issue? In the screen recording could you show us; the Target > Scope the scope controls via New Scan > Scan details.

e4c6 | Last updated: Jan 01, 2021 08:05PM UTC

Regex include/exclude functionality is completely broken. Case 1: I want to exclude .mp4 files from being scanned. I add excluded URL rule like this Burp Agent recommends. (https://forum.portswigger.net/thread/regex-active-scanner-cdbfaaa3abdb1c6) Rule screenshot: https://imgbox.com/0oa3zaPa I run the scan, look at Flow and see that it's still requesting URLs with .mp4 files. Flow screenshot: https://imgbox.com/pOSEeHRF Case 2: Since exclude doesn't work, i try to come up with a regex that will match everything including the website i specify however with no .mp4 files. Burpsuite errors out "Some of the specified URLs to scan are out of scope", except it isn't. Screenshot: https://imgbox.com/BcrlZIHu I have been battling Burp for hours now. Please tell me this functionality actually works and i'm a retard and show me the solution. Specs: Java 9, v2020.9.2

Michelle, PortSwigger Agent | Last updated: Jan 05, 2021 08:57AM UTC

If you remove the final $, does that then match what you need? (e,g, if you use \.mp4 instead of \.mp4$)

You need to Log in to post a reply. Or register here, for free.