Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Regex Active Scanner

urand0m | Last updated: Feb 14, 2016 11:14AM UTC

Hello, I am a bit struggling to set a regex to match for filetypes and avoiding the Active Scanner to scan files like jpg/css/gif and so on. I created a rule like the to exclude URL path filenames with regext \.jpg$ but it doesn't work, when I browse to the page and have the scanner to automatically scan, start to scan the jpg files as well. Could you suggest me how to handle this exclusion? Thanks a lot for the help, Regards,

PortSwigger Agent | Last updated: Feb 15, 2016 09:04AM UTC

I assume you are talking about configuring scope rules to control what gets scanned when using live active scanning. If so, to do this, you should add an "exclude" rule which looks like this: protocol: any host: blank port: blank file: \.jpg$ In our testing, this causes any URL ending with .jpg to be excluded from scope.

Burp User | Last updated: Feb 15, 2016 09:12PM UTC

Hello Dafydd, Thanks a lot for the reply, Good point! I actually didn't think about the scope in the "Target" tab. I tried in the : Scanner -> Options -> Skip all tests for these parameters and was creating the rule Match item : URL path filename Name or Value: Name Match Type: Regex Match expression : \.jpg$ Thanks for the suggestion I would give it a go in the scope as you suggested. Do you think a regex like (\.jpg$|\.css$|\.gif$|\.png$|\.woff2$|\.woff$|\.doc$|\.docx$|\.pdf$|\.xls$|\.xlsx$) Would work as exclusion for active scanning instead to create an entry for each extension? Thanks again in advance for any suggestion and information. Regards,

PortSwigger Agent | Last updated: Feb 16, 2016 10:25AM UTC

Using rules to skip parameters will only omit the parameters in question from scanning - the remainder of the request will still be scanned. So the rule you described would prevent Burp from putting an insertion point around the URL filename if it ends with .jpg but it won't stop any other insertion points or scan operations being performed on the request. So a scope rule is probably the way to go for your requirement. Yes, using a compound regex to match multiple extensions should work.

Burp User | Last updated: Jan 17, 2017 02:49PM UTC

For Windows my solution was: Target -> Scope -> Exclude from scope: protocol: any host: blank port: blank file: \.jpg*

Burp User | Last updated: Dec 13, 2017 01:57AM UTC

(\.jpg$|\.css$|\.gif$|\.png$|\.woff2$|\.woff$|\.doc$|\.docx$|\.pdf$|\.xls$|\.xlsx$) Will be ok using when setting type of files to avoid?

e4c6 | Last updated: Jan 01, 2021 08:06PM UTC

Regex include/exclude functionality is completely broken. Case 1: I want to exclude .mp4 files from being scanned. I add excluded URL rule like this Burp Agent recommends. (https://forum.portswigger.net/thread/regex-active-scanner-cdbfaaa3abdb1c6) Rule screenshot: https://imgbox.com/0oa3zaPa I run the scan, look at Flow and see that it's still requesting URLs with .mp4 files. Flow screenshot: https://imgbox.com/pOSEeHRF Case 2: Since exclude doesn't work, i try to come up with a regex that will match everything including the website i specify however with no .mp4 files. Burpsuite errors out "Some of the specified URLs to scan are out of scope", except it isn't. Screenshot: https://imgbox.com/BcrlZIHu I have been battling Burp for hours now. Please tell me this functionality actually works and i'm a retard and show me the solution. Specs: Java 9, v2020.9.2

Hannah, PortSwigger Agent | Last updated: Jan 05, 2021 02:49PM UTC

Hello As my colleague suggested on the other thread, have you tried removing the "$" symbols?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.