Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Some BUG in Intruder "Scan defined Insertion points"

Konst | Last updated: Apr 30, 2021 05:03AM UTC

Burp Pro 2021.4.2 When I select in top menu Intruder -> Scan defined insertion points -> Add to task, Burp do scanning NOT ONLY insertion points selected by § symbol, but do scan in other usual points: headers, POST parameters, URL parameters, etc But if I select Scan defined insertion points in context menu (right mouse click) - Burp do correct scan, only selected points will be scanned. Also Burp do correct scan if I select in top menu Intruder -> Scan defined insertion points -> Create new task

Uthman, PortSwigger Agent | Last updated: Apr 30, 2021 07:34AM UTC

Hi Konst, Can you please send an email to support@portswigger.net with diagnostics (Help > Diagnostics) and a screen recording of the issue replicated on https://portswigger-labs.net? Please ensure that all extensions are disabled when you do this.

Phil | Last updated: Nov 29, 2022 10:55AM UTC

I'm assuming this hasn't been fixed yet? I have the same problem, though it doesn't really matter which way I go to launch the scan - all insertion points are conveniently ignored and I might as well start a regular active scan. Even though I specifically ask Burp to scan only one parameter in the body of a POST request, it goes ahead and adds payloads to the URI, various headers, etc. Which totally breaks the point of having defined insertion points. What's worse, even when specifying in the scan configuration that only request body parameters should be scanned AND specifying the respective parameter in the body using §§, it still ignores all settings and scans whatever it wants. Please try to fix this as scanning things you shouldn't be scanning is a terrible practice and many users might not even be aware this is happening.

Hannah, PortSwigger Agent | Last updated: Nov 29, 2022 11:38AM UTC

Hi I'm sorry to hear you're having this issue. Could you tell me the version of Burp that you are using so that we can replicate this behavior, please?

Phil | Last updated: Apr 28, 2023 02:16PM UTC

Hi, sorry for the late reply - I rarely log into my PortSwigger account. Currently I'm on 2023.3.5, but this has been a consistent issue ever since I can remember, so at least certainly not an issue specific to 2023.3.5; in fact definitely an issue before the 2023 versions.

Hannah, PortSwigger Agent | Last updated: May 02, 2023 04:03PM UTC

Thanks for that information. We've raised a feature request to review this behavior, but the reason this is occurring is a little bit more complex. When scanning, we have a number of different checks that have different levels of usage. Some are active on a per-request basis, some are active on a per-host basis, and others are active per-insertion point. When scanning defined insertion points, only the selected insertion points will be used. However, the per-host and per-request checks are still performed. We'll review this behavior and see if there are any changes we can make to make this behavior clearer.

Phil | Last updated: May 03, 2023 09:28AM UTC

Thanks for the background info! Is it possible to e.g. disable the per-request and per-host checks? That would already go a long way in not accidentally scanning something you're not intending or even allowed to.

Hannah, PortSwigger Agent | Last updated: May 04, 2023 08:40AM UTC

You can adjust which scan checks are performed under the "Issues reported" section of your audit configuration. We would recommend that you only enable the scan checks you would like to be performed. To quickly deselect all scan checks, click in the table and use "Control + A" to select all items. Then you can right-click and click the "Enabled" option to uncheck the items.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.