Burp Suite User Forum

Login to post

Scanner Timed Out but Repeater Succeeds

Tim | Last updated: Nov 11, 2020 04:09PM UTC

I'm performing a scan of a specific page of an ASP.Net web application. From Logger++ I can see every request to the site and in the Comment column it states "Timed Out" and Status states "-1". But, if I take that request to Repeater, the request functions successfully, and Logger++ lists that Repeater request with Status of 100. What are the possible reasons for this?

Uthman, PortSwigger Agent | Last updated: Nov 11, 2020 04:23PM UTC

Hi Tim, Do all requests after the first timed out request also time out? If so, is there any pattern in the failing requests? Is there any rate-limiting on the server or a WAF that initially blocked the request? Can you consistently replicate this if you scan the application again? Which version of Burp are you using?

Tim | Last updated: Nov 11, 2020 05:25PM UTC

1) Not all requests report time out, most do however. None of the Scanner requests ever check the Complete box and All of them have a "-1" value in Status. 2) I can see no patterns. The only distinguishable item is that I can use the repeater for a Scanner request and it succeeds. 3) There is no rate-limiting nor WAF on the system. This is a development environment and all of those controls have been turned off for ease of development purposes. 4) Yes, I can consistently replicate this. 5) Burp Suite Professional v2020.11 Trial User License. I am evaluating this product in order to mitigate findings discovered by HCLs AppScan product. I don't have access to AppScan so I was hoping to purchase Burp Suite, mitigate items, perform a scan, rinse and repeat.

Uthman, PortSwigger Agent | Last updated: Nov 12, 2020 09:26AM UTC

Thanks a lot for that information, Tim. If you could send us an email with the information below, that would be great. We will have a discussion with our development team. - Screenshots of the request timeout errors in the scan task (View details > Audit items) - Screenshots of Logger++ (or a CSV of the output) showing the requests that time out - Diagnostics taken when this issue appears (Help > Diagnostics)

Tim | Last updated: Nov 13, 2020 02:40AM UTC

Email sent to support@portswigger.net on 12-Nov-2020 at 19:35hrs MT with subject Scanner Timed Out but Repeater Succeeds. Let me if you do or do not receive it.

Uthman, PortSwigger Agent | Last updated: Nov 13, 2020 09:52AM UTC

Thanks, Tim. We have received your email.

Tim | Last updated: Nov 20, 2020 02:13AM UTC

Just checking in on this issue. Do you need anything else from me?

Uthman, PortSwigger Agent | Last updated: Nov 20, 2020 09:03AM UTC

Hi Tim, I replied to your email on 13/11. I have just resent the reply. Can you please double-check your junk/spam folder too?

Tim | Last updated: Nov 24, 2020 01:45AM UTC

I don't have an email from you. I've checked my spam/junk and nothing.

Uthman, PortSwigger Agent | Last updated: Nov 24, 2020 10:28AM UTC

Hi Tim, have you checked your Gmail account too? Your original message was sent from a Gmail account and my reply is below: Can you please share a screenshot of a request working in the repeater but not when sent by the scanner? If you have any issues, can you please send a new email?

You need to Log in to post a reply. Or register here, for free.