Burp Suite User Forum

Create new post

Scanner unpaused scan of app1 when actively scanning a single page on app2 (SSO)

Jonathan | Last updated: Apr 03, 2016 03:17AM UTC

Here's the environment: - app1.example.com (SSO enabled app #1) - app2-stage.example.com (SSO enabled app #2) Here's the user story: 1.) Tester spiders app1 without SSO auth 2.) Tester does active scan of app1 without SSO auth (it cannot be actively scanned with auth because it would be disruptive) 3.) Tester pauses active scan for app1 (basically done with testing) 4.) Tester spiders app2-stage with SSO auth 5.) Tester does active scan of since page on app2-stage with SSO auth 6.) Burp active scan resumes for app1 with full page scope and inherits SSO auth established from app2-stage. Effectively, burp starts fuzzing app1 with testers credentials and modifies/corrupts stuff it shouldn't and app1 needs to be reverted from backup. 7.) Tester facepalms What I think should have happened instead: - app1 active scan shouldn't have been restarted (it did) - if app1 active scan was to restart, it should have made that visible in the UI (it didn't)

PortSwigger Agent | Last updated: Apr 04, 2016 10:44AM UTC

The function to pause and unpause the Scanner operates across the board of the Scanner's actions. If you leave items in the scan queue for app1, and later unpause the Scanner, then it will resume scanning those items. In the situation you described, where you are finished testing one application and want to scan a different one, the best approach would be to cancel any pending items in the scan queue. Then, you can continue scanning without the Scanner performing any further testing on those items.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.