Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

burp setting

afs Nov 02, 2019 04:10AM UTC

I use burp professional version, I click new scan task, it asks me to define crawling and auditing parameter, I use default setting, i can't find xss and csrf, so any parameter need to be changed in audit setting so we can discover csrf and stored xss?


afs Nov 02, 2019 04:10AM UTC
I use burp 2.1

Mike Eaton Nov 04, 2019 10:16AM UTC Support Center agent

Hi, once the site has been crawled, the audit phase then scans and detects potential vulnerabilities. All issue types including CSRF & XSS (Stored) are enabled by default so it should work out of the box.

Have you verified manually that those vulnerabilities are present in your target application?


afs Nov 05, 2019 12:59AM UTC
we manually verify 15 reflect .xss, 5 dom based xss, 20 stored xss and 26 csrf issues for one website, using default auditing and crawling setting, burp only detect 5 dom based xss. pls advice which setting need to be added

Mike Eaton Nov 06, 2019 08:47AM UTC Support Center agent

You can ensure that Burp Scanner attempts all available insertion points it encounters and payloads available by changing the following settings in the audit configuration;

- Audit Speed: Thorough
- Skip checks unlikely to be effective due to insertion point’s base value: Disabled
- Issues Reported: All types enabled.
- Insertion Point Types: All types enabled.
- Frequently Occurring Insertion Points: All disabled.

Whether or not Burp can detect them is based on the vulnerabilities you have manually verified yourselves, without an example it would be difficult to investigate if Burp should be detecting them or not.


Post Your public answer

Your name
Your email address
Answer