Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Scanner doesn't report previously found issues if same Insertion Point number.

KAISE | Last updated: Jul 21, 2021 03:28AM UTC

For example, there are like following reqest: [Req A] GET https://example.com/request.php?p=TEST_A&mg=TEST_A&exectype=TEST_A [Req B] GET https://example.com/request.php?p=TEST_B&mg=TEST_B&exectype=TEST_B I have set insertion point for manual like below: [Req A] GET https://example.com/request.php?p=§TEST_A§&mg=TEST_A&exectype=TEST_A [Req B] GET https://example.com/request.php?p=TEST_B&mg=TEST_B&exectype=§TEST_B§ * Req A "p" is "manual insertion point 1", and Req B "exectype" is "manual insertion point 1" as well. If there is XSS vulnerability at "p" and "exectype", scanner found it issues but doesn't report in issues activity tab because same insertion point number. I guess this is a bug. Thanks

Uthman, PortSwigger Agent | Last updated: Jul 21, 2021 10:47AM UTC

Hi Kaise, This may be down to the issue consolidation logic of the scanner. If you manually set insertion points > select 'Scan defined insertion points' and then 'Consolidate items...', you should be able to change this. If you have any issues, can you please email support@portswigger.net with some screenshots and diagnostics (Help > Diagnostics)?

KAISE | Last updated: Jul 30, 2021 12:52AM UTC

Hi Uthman, I try a resolution way but it isn't resolved. So I will send an email to your support team (support@portswigger.net). Thank you for your continuous support. Thanks KAISE

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.