Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Scanner's concurrent request limit not working.

Chris | Last updated: Feb 22, 2018 10:35PM UTC

Hello, I have set to scanner "concurrent request limit" to 1. However scanner doesn't respect that. I tried many things and restarts. Only 1 time it was in effect. All the other times no.

Liam, PortSwigger Agent | Last updated: Feb 23, 2018 11:37AM UTC

With the new model, Burp Scanner will create a few more threads than the number of concurrent requests. However, these threads will always obey the concurrent request limit. For example, if your limit is 10, and 10 threads are already making requests, the 11th thread will block until another thread completes its request. So in practice, setting the "Concurrent request limit" will have the effect you want of limiting the load on the target application – even though the Scanner uses a few more threads internally. The reason we've made this change is that some Scanner work is intensive on your local CPU, so this arrangement allows network limited scans to make efficient use of your CPU. The behavior you observe when changing the number of concurrent requests is also expected. The new concurrent request limit is obeyed immediately (although in progress requests are not cancelled) – but the threads are only reduced as scan items complete. In short, unless this is causing problems, please continue as normal. Please let us know if you need any further assistance.

Liam, PortSwigger Agent | Last updated: Mar 01, 2018 09:48AM UTC

Hi Nino. Could you demonstrate what you mean by Burp "seems to scan multiple requests at once"? Would it be possible to send a screenshot? You can send it to support@portswigger.net. Additionally, you can use the Flow extension from the BApp store to monitor Scanner activity in a Proxy history-like view: - https://portswigger.net/bappstore/ee1c45f4cc084304b2af4b7e92c0a49d

Burp User | Last updated: Mar 21, 2018 09:37AM UTC

I have also found this recently. I have came across a few web applications with very strict session management. If the user is interacting with two functions at once they tend to invalidate the session. In the past when I have sent multiple requests to the active scanner and set the current request limit to 1, so that only one function is being hit at a time. With the latest version of burp despite setting concurrent sessions to 1 it seems to scan multiple requests at once. Thanks

Burp User | Last updated: Feb 01, 2019 02:36AM UTC

I am having the same issue and the burp is running out of heap memory. It starts over 70 scan lines at the same time and crashes burp.

Liam, PortSwigger Agent | Last updated: Feb 01, 2019 09:19AM UTC

R1c, could you outline the steps to reproduce this issue? Do you encounter any error messages? If so, could you send us screenshot?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.