Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Scanning Atlassian Jira

Kevin | Last updated: Mar 08, 2022 08:33PM UTC

We've been scanning Atlassian Jira for a few years now and it seems it gets more finnicky every time we upgrade Jira. Normally it would make 27,000+ requests, including Authenticating using our Macros, etc. No problems. Lately, it has been stalling at 28 requests or so. In the past we tweaked the Crawling config, and went from Most Complete to More Complete, and that seems to have worked. With this last upgrade, it's not working no matter what we do. It's stalling at 8-10 requests, with no real output. We have tweaked the # of errors to be 100 consecutive, and it's only getting 2-3 errors (403s and an occasional 500) but that shouldn't stop it from continuing. Using the manual Proxy, we can navigate Jira, login, and we even find Issues this way. Just trying to figure out how to debug the scanner so we know what it's getting stuck on. Is it JS analysis? Is there some way to view this in real-time?

Liam, PortSwigger Agent | Last updated: Mar 09, 2022 10:21AM UTC

Thanks for your message, Kevin. Which version of Burp Suite are you using? Have you tried the latest early adopter version? - https://portswigger.net/burp/releases/professional-community-2022-2-2 You can use the Logger tab to watch the scan in real-time: - https://portswigger.net/burp/documentation/desktop/tools/logger If you turn off JavaScript Analysis, does the scan complete?

Kevin | Last updated: Mar 09, 2022 04:25PM UTC

Using Burp Pro for Windows, v2022.1.1.

Kevin | Last updated: Mar 09, 2022 04:25PM UTC

We use Logger and Logger++ but it just shows the last request was like a 403, and then nothing else.

Kevin | Last updated: Mar 09, 2022 04:28PM UTC

Even with JS analysis off, it gets to like 8 connections and then just stalls. Other web apps don't have this issue, only this one Jira app.

Liam, PortSwigger Agent | Last updated: Mar 10, 2022 08:02AM UTC

Thanks for the additional information. Is it possible for you to provide us with permission to test the application remotely?

Kevin | Last updated: Mar 11, 2022 04:20PM UTC

It's not remotely reachable, sorry. It has been working fine for the last 2 years or so, but with the problems I've stated above, and now it's totally un-scannable.

Liam, PortSwigger Agent | Last updated: Mar 14, 2022 11:34AM UTC

We checked out - https://bugcrowd.com/atlassian Unfortunately, "use of any automated tools/scanners is strictly prohibited and will lead to you being removed from the program (trust us, we have those tools too)." We'll contact their support to find out if we can perform some automated scanning.

Liam, PortSwigger Agent | Last updated: Mar 16, 2022 09:59AM UTC

Hi Kevin. We have contacted Atlassian, however, we've had no luck getting access to a site we can perform any automated testing with. We did manually investigate, one issue could be due to all the pages looking similar (the majority of the links are on the navbar, sidebar etc.) If that’s the case, you may get more coverage by setting your unmatched link tolerance to 0. This setting can be found via Crawl config > Crawl optimization > Cog. Let us know if this helps.

Kevin | Last updated: Mar 22, 2022 04:00PM UTC

So, I'm on the latest version but I don't see "Unmatched Link Tolerance" in there. I did see "Max Unmatched Anchor Tolerance" which is already 0 (all of the Max Tolerances are 0). Anyhow, while I was in here I stumbled upon this one - "Load Site Resources from Out-Of-Scope Requests". Unchecking this option seems to have instantly fixed my problem. This is weird because I am already blocking out-of-scope requests by setting an explicit scope, so I don't fully understand why Burp would get blocked on this, and just hang. But, without this setting enabled now, Burp just cruises along and keeps crawling and auditing and running a full complete scan.

Liam, PortSwigger Agent | Last updated: Mar 23, 2022 01:21PM UTC