I use burp professional version, I click new scan task, it asks me to define crawling and auditing parameter, I use default setting, i can't find xss and csrf, so any parameter need to be changed in audit setting so we can discover csrf and stored xss?
Hi, once the site has been crawled, the audit phase then scans and detects potential vulnerabilities. All issue types including CSRF & XSS (Stored) are enabled by default so it should work out of the box.
Have you verified manually that those vulnerabilities are present in your target application?
You can ensure that Burp Scanner attempts all available insertion points it encounters and payloads available by changing the following settings in the audit configuration;
- Audit Speed: Thorough
- Skip checks unlikely to be effective due to insertion point’s base value: Disabled
- Issues Reported: All types enabled.
- Insertion Point Types: All types enabled.
- Frequently Occurring Insertion Points: All disabled.
Whether or not Burp can detect them is based on the vulnerabilities you have manually verified yourselves, without an example it would be difficult to investigate if Burp should be detecting them or not.