Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Non-authenticated Website Scan

Paul | Last updated: Aug 02, 2021 02:46PM UTC

When running a non-authenticated active scan against one of our websites, it brought the website. Do you know why it may have caused this?

Paul | Last updated: Aug 02, 2021 02:47PM UTC

Should read brought the website down.

Ben, PortSwigger Agent | Last updated: Aug 03, 2021 09:11AM UTC

Hi Paul, Our general response to queries like this would be as follows: "Like any security testing software, Burp Suite contains functionality that can damage target systems. Testing for security flaws inherently involves interacting with targets in non-standard ways that can cause problems in some vulnerable targets. You should take due care when using Burp, read all documentation before use, back up target systems before testing, and not use Burp against any systems for which you are not authorized by the system owner, or for which the risk of damage is not accepted by you and the system owner." To expand on that and provide some examples - during a scan Burp will be sending out a large number of requests to the target website. If the target site cannot adequately handle the number of requests being issued to it then there is always the possibility of performance degradation or, at the extreme end, the site to go down completely. In addition to the above, during the audit phase of a scan Burp is actively trying to find vulnerabilities in the target application. This involves Burp sending various different crafted payloads to the target site. As noted above, there is always the possibility that these payloads can induce unexpected behaviour in a given site due to the very nature of what they are intending to achieve.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.