Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Burp 2.x Audit finds less issues

cr33y Oct 03, 2019 01:24PM UTC

I‘m playing a bit with burp 1.7.37 and v2.1.04 (both pro versions). I also read about the new scanning techniques burp 2.x comes with. So my expectation was, that it should find (in minimum) as much issues as the „old“ one. For testing i used DVWA.

The old one with spidering and a following active scan finds multiple issues:
- sqli (visible and blind)
- xss (stored and refelcted)
- command injection

I examined the results and they are all reproducible and no false /positive.

Burp 2.x finds zero of the mentioned vulnerabilites. I used the default crawl and audit. In addition also the library template:

- Crawl strategy – most complete
- Audit – all exept javascript analysis

Same result there. So i‘m wondering if i do a misstake or does this rely on the new scanning technique? In theory, burp 1.7 sould then used for „old style“ websites. But using both burp versions at the same mandate is very time consuming and isn‘t really a solution for me.

So can you explain / examine the reason for this behavior?

Mike Eaton Oct 04, 2019 10:15AM UTC Support Center agent

Hi, the scanning engine has changed completely from version 1 → 2, we navigate through the application differently, we interpret the scan configurations differently and we map the target application differently once the crawl operation is completed, so, unfortunately, you can’t make a like-for-like comparison.

I would like to ask a few questions around your testing with version 2.x
- Did you use a new project file for your testing? as previous results could hide/pollute the results from your scanning.
- Have you tried changing parts of the configuration to improve the results? (E.g. setting Audit Speed to thorough)
- Have you compared the site maps to see if one version is able to identify more of the target application than the other?

Liam Tai-Hogan Oct 07, 2019 02:42PM UTC Support Center agent

Just to follow up, we ran Burp Pro v2.1.04 against DVWA Version 1.8 using the default settings. The audit found:

SQL injection – 3
Stored XXS – 2
Reflected XXS – 14
OS Command Injection – 1

It also 30 other issue types.

Post Your public answer

Your name
Your email address