Burp 2.x Audit finds less issues
I‘m playing a bit with burp 1.7.37 and v2.1.04 (both pro versions). I also read about the new scanning techniques burp 2.x comes with. So my expectation was, that it should find (in minimum) as much issues as the „old“ one. For testing i used DVWA.
The old one with spidering and a following active scan finds multiple issues:
- sqli (visible and blind)
- xss (stored and refelcted)
- command injection
I examined the results and they are all reproducible and no false /positive.
Burp 2.x finds zero of the mentioned vulnerabilites. I used the default crawl and audit. In addition also the library template:
- Crawl strategy – most complete
Same result there. So i‘m wondering if i do a misstake or does this rely on the new scanning technique? In theory, burp 1.7 sould then used for „old style“ websites. But using both burp versions at the same mandate is very time consuming and isn‘t really a solution for me.
So can you explain / examine the reason for this behavior?
Hi, the scanning engine has changed completely from version 1 → 2, we navigate through the application differently, we interpret the scan configurations differently and we map the target application differently once the crawl operation is completed, so, unfortunately, you can’t make a like-for-like comparison.
I would like to ask a few questions around your testing with version 2.x
- Did you use a new project file for your testing? as previous results could hide/pollute the results from your scanning.
- Have you tried changing parts of the configuration to improve the results? (E.g. setting Audit Speed to thorough)
- Have you compared the site maps to see if one version is able to identify more of the target application than the other?
Just to follow up, we ran Burp Pro v2.1.04 against DVWA Version 1.8 using the default settings. The audit found:
SQL injection – 3
Stored XXS – 2
Reflected XXS – 14
OS Command Injection – 1
It also 30 other issue types.