Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Burp Suite Enterprise + OWASP Juice Shop

guilherme Dec 30, 2019 05:42PM UTC

Hi,

I'm using Burp Suite Enterprise (Version: 1.1.04-2579, Java version: 9.0.4) and configured a new scan with crawl and audit into the OWASP Juice Shop (https://juice-shop.herokuapp.com). This application is written entirely in JavaScript and Burp’s crawler doesn’t currently handle JavaScript heavy applications.

I've tried all of the crawl scan configurations along with varying combinations but have been unable to reproduce the same findings found using Burp Suite Pro (v2.1.07), e.g: Open redirection (DOM-based).

Burp Suite Enterprise scan configurations:
- Crawl limit - 30 minutes
- Never stop crawl due to application errors
- Crawl strategy - most complete
- Never stop audit due to application errors
- Audit coverage - thorough

XSS is not detected (Burp Suite Pro & Enterprise):
https://juice-shop.herokuapp.com/#/search?q=%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E


Liam Tai-Hogan Dec 31, 2019 11:30AM UTC Support Center agent

We have released an experimental version of a new JavaScript crawling feature in Burp Suite Pro.

- http://releases.portswigger.net/2019/11/professional-2105.html

To use the experimental version in Burp Enterprise:

First, ensure that you are using Burp Scanner version 2.1.06 in the Settings > Updates page.

Next, turn on the experimental crawler feature in Burp Pro (screenshot attached).

Save the Scan configuration and import it into Burp Enterprise as demonstrated in this tutorial – https://support.portswigger.net/customer/portal/articles/2973443-using-burp-suite-enterprise-creating-a-custom-scan-configuration.

This feature is still in the experimental phase. It doesn’t currently work well with OWASP Juice Shop. You should see improvements in other JavaScript-heavy apps.


Post Your public answer

Your name
Your email address
Answer