Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Target Scope (Basic Config) Exclude From Scope Ignored During Active Scan

Luca | Last updated: Jul 09, 2018 12:10PM UTC

Tested on Burp v1.7.32 (cannot update right now from this testing machine) How to Reproduce: 1) Visit a website e.g. http://www.example.com 2) Add the root in scope. "Include In Scope" will show [X] http://www.example.com 3) On the Login Page, click Exclude. "Exclude from Scope" will show [X] http://www.example.com/login.do 4) Run Active Scan. Login.do is included in the scan, despite being removed.

PortSwigger Agent | Last updated: Jul 09, 2018 12:43PM UTC

Hi Luca, Thanks for getting in touch. Can I just check: are you running Active Scan by right-clicking the host in Site Map and choosing "Actively scan this host" ? If so, the behavior you are seeing, while a little confusing is by design. To do the scan with only in-scope items, change the filter in Site Map to "Show only in-scope items" and then do the Active Scan.

Burp User | Last updated: Jul 09, 2018 01:10PM UTC

It's all done via Burp Extender APIs. Any idea about possible workarounds?

PortSwigger Agent | Last updated: Jul 09, 2018 01:16PM UTC

Hi Luca, The workaround is to use callbacks.isInScope on each item before calling doActiveScan. If you're still having difficultly, perhaps you could share some code snippets?

Burp User | Last updated: Jul 10, 2018 09:05PM UTC