Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Vulnerable JavaScript dependency doesn't show up when I use the base URL as the start URL

Adam | Last updated: Apr 04, 2024 02:05PM UTC

Hi - I work for a company that maintains a number of websites, Burp Suite Pro found a Vulnerable JavaScript dependency in one of the JS libs on one of the sites, but I noticed that our more frequent scans done with Burp Suite Enterprise were not picking up this vulnerability, even though the lib appears in the "scanned URLs" list of the Enterprise scans. The scan config for the Enterprise scans includes Javascript Analysis and Passive issues, and 'Make requests for missing site resources', 'Fetch previously undiscovered resources and data from out-of-scope hosts', 'Use dynamic analysis techniques', and 'Use static analysis techniques' are all turned on in the config. What's strange (to me anyway), is that if I include the specific path to the JS lib in the start URLs for the Enterprise scan, it does pick up the vulnerability, but if I just use the base URL as the only start URL, it does not pick it up, even though the JS lib does get listed in the "scanned URLs" for the scan. So I'm wondering why this is happening? Is there a config setting or something I can tweak to make sure these vulnerabilities get picked up? Or is this a bug of some kind? My concern isn't just limited to this one website, with outdated and vulnerable components becoming more and more of a concern these days, I want to make sure our Enterprise scans are picking up as many of these Vulnerable JavaScript dependencies as possible. I'm happy to provide info on the website, along with any log or config files you need to see.

Syed, PortSwigger Agent | Last updated: Apr 05, 2024 07:58AM UTC

Hi Adam,

Thank you for your message! I will need more information to investigate this, please email in to our support email at support@portswigger.net and I will take care of this for you.

Adam | Last updated: Apr 08, 2024 02:55PM UTC

Thanks, I sent a follow-up email to support@portswigger.net just now.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.