Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

How do I manual add a vulnerability

Stoffel D. Feb 10, 2015 01:16PM UTC

Using the intruder functionality, i saw the application was vulnerable to a XSS (with a custom payload). Active/Passive Scan doesn't find it.
So I have a hit but how can i flag this payload/result with this params as a match within the scanner result (or other place to be able to include this match into the final report) (and of course flag this with a type of XSS vuln and the relevant advisory) ?

Thank you!


Dafydd Stuttard Feb 10, 2015 01:44PM UTC Support Center agent

You can’t currently create manual issues in the scan results. This feature is in our roadmap, and we hope to have it available later this year.


Aaron B. May 19, 2015 03:52AM UTC
Hello,

Do you have an approximate release data for this feature? I find myself needing it quite a bit for manual issues I discover. For now, I hack together my own HTML report that parses your output plus my own into a new file. It would be sweet to have this built-in.

Thanks!

Dafydd Stuttard May 19, 2015 08:22AM UTC Support Center agent

We can’t promise an ETA yet, but initial work to lay the groundwork for this feature in underway. There are several related capabilities that we will implement together (yet to be announced), so it will probably be completed at least 3 months from now, but hopefully not too long after that.


Ruggero S. Mar 23, 2016 10:08PM UTC
Hello, any news about this feature? As you know, during a pentest it is very common to find issues manually and it would be great to have the possibility to add them using the built-in issues list of Burp. Thank you

Dafydd Stuttard Mar 24, 2016 12:21PM UTC Support Center agent

Apologies for the delay on this feature – we’ve been busy with other things. User-generated manual issues are very much in our roadmap and we hope to deliver the feature soon.

FYI the Manual Scan Issues extension in the BApp Store does provide this feature, in the meantime.


Eric P. Oct 06, 2016 01:07AM UTC
IMHO, the best option is to add a menu entry in Proxy / HTTP History. I'd name it "Send to Scanner / Issue Activity" and put it right next to "Send to Intruder". Resulting action should be that a new dialog pops-up (like the Manual Scan Issues extension) and prefilled from the selected payload (Host, Path, Request, Response).

Lucas Gates Mar 22, 2017 03:38PM UTC
Hi,

Any updates on when this feature will be rolled out? It appears that the latest version of "Manual Scan Issues" plugin does not work with the latest version of Burp Suite Professional v1.7.19.

Help is greatly appreciated!

Dafydd Stuttard Mar 22, 2017 05:02PM UTC Support Center agent

We don’t currently have an ETA for this feature, sorry. We’ll investigate the issue with Manual Scan Issues and update this thread.


Adam Piper Mar 24, 2017 05:05AM UTC Support Center agent

Hi Lucas,

The Manual Scan Issues extension has been updated and works both on the Issues tab and also the Messages tab now too.


Lucas Gates Apr 03, 2017 01:48PM UTC
Thanks for the quick turnaround!

Not sure if this is the appropriate venue for this request. But it would be amazing if:

1. The "Add Issues" menu item automatically added the request and response to the issue.
2. There was a dropdown menu item in the ManScanAdd window to choose from a list of pre-populated issues.
3. There was a way to add/edit/delete the pre-populated issues from item #2.

Thanks!

Adam Piper Apr 06, 2017 02:52PM UTC Support Center agent

Hi Lucas,

We don’t maintain this extension, but we’ll pass along these suggestions to the author. Hopefully the extension source will soon be available and welcoming contributions.


Lucas Gates Apr 10, 2017 10:51AM UTC
Thanks!

Jaike May 23, 2018 03:02PM UTC
Please advise on when this can be added given the number of assurances provided over the past few years that it was a priority item.

Paul Johnston May 24, 2018 09:30AM UTC Support Center agent

Hi Jaike,

We’ve added the ability to add scan issues to the extender API. So you can use an extension – either “Manual Scan Issues” or the newer “Add & Track Custom Issues”. We do intend to eventually have a native feature for this, although that’s not a priority at the moment.


Post Your public answer

Your name
Your email address
Answer