Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp Active Scanner Issue

Stefano | Last updated: Sep 15, 2016 09:42AM UTC

Hi, We have recently come across an issue with the active scanner. As soon as the scanner is launched with default settings , the load of the java process on the CPU increases exponentially and reaches 400% at which point burp scanner stops sending out requests (this is with less than 10 threads in the queue). I have also tried to reduce the number of concurrent threads to 1, the load on CPU is lower (approx. 100%), but the result is the same: burp active scanner stops sending requests and becomes unusable. The interface is fine and burp overall is working but the scanner is not doing anything. I have now noticed this on multiple websites and I am sure this is not down to network or site performance. Is this a known issue? Are there any ways around it? I have used burp for multiple years without any issues. I am guessing it may be associated with the new project feature as I have only recently had the issue. Any help is highly appreciated! Stefano

Liam, PortSwigger Agent | Last updated: Sep 15, 2016 09:47AM UTC

Hi Stefano Thanks for your message. You could try switching off the static code analysis in Burp's Scanner options tab. Have you tried using an older version of Burp Suite and scanning the same applications? This would confirm whether it is a recent version of Burp that is causing this issue.

Burp User | Last updated: Sep 19, 2016 01:26PM UTC

Hi everybody, same problem here, we execute the same scan every 6 month and now we got same CPU problems as described by Stefano. In this specific scan we have a lot of URL to scan and also some normal operations like "Cancel scan" for all request are very slow (about 33000 URL to scan) will take more than 30 minutes with CPU average of 50%. It's possible that the cause of the CPU problem is the table (JTable) where the information are shown? Otherwise can be related to the "new" project methods? I will try to disable the static code analyzer and also try to change the GUI interface then I will post my results. Maurizio

Liam, PortSwigger Agent | Last updated: Sep 19, 2016 01:55PM UTC

Hi Agazzini Are you seeing this issue on just one application? Also, could you give us some details about the machine you are using to run Burp? Computational power, java version, OS etc.

Burp User | Last updated: Sep 19, 2016 01:56PM UTC

Hi, Same issue here. Just did a scan for the first time in a long time using 1.7.05. Went away for the weekend, came back to find partially completed scan, and mostly frozen state of scanning. UI is responsive. CPU maxed out. Memory almost all used up. Will also try suggestion to switch off the static code analysis in Burp’s Scanner options tab. Re-starting now to try again. Matt.

Burp User | Last updated: Sep 19, 2016 03:00PM UTC

So what I just did was save my state. Quit and re-start burp. Then I loaded my state with scanner paused. I made sure the option to switch off the static code analysis in Burp’s Scanner options tab was selected (it wasn't by default). On the scanner Scan Queue tab, nothing is happening because I have not started yet. All the previously finished items are there. Some items are "waiting to cancel" from my previous state when I tried to stop scanning. CPU and mem usage are normal. I start scanning, and the first 10 items immediately take up 100% CPU. Immediately 3 issues are found (all 10 url's are the same). Number of requests is 14 or 15. nothing in error column. Insertion points is 30 with various amount skipped. Status is 0% complete and looks like nothing is happening. My machine is a VMware VM. It has 8 CPU's assigned to it and 8 GB. It's running Windows 8.1 (I have not had time to update this system...). Java is version 1.8.0_45 Matt.

PortSwigger Agent | Last updated: Sep 19, 2016 03:01PM UTC

Are people who are seeing this problem running Burp using the platform installer or the plain JAR file? If the installer, please can you switch to the JAR file and see if that makes a difference? And let us know the results either way, thanks.

Burp User | Last updated: Sep 19, 2016 04:39PM UTC

Here my current setup. Please note that we have the same problem with others PC. CPU: i7-2640M RAM: 16GB DISK: SSD. Run options: -Xmx4096m Java version: 1.8.0_101-b13 (64bit) OS: Windows 10 64bit. Just disabled the "static code analyzer" but nothing changed. I have done some tests with older version, but I cannot open the project nor the "saved state", because has been created with the new version. Here my tests: - scan with my burp state on single part of the site (added 200 pages to scan) -> same problem, some requests and then it becoming slow down - new burp project, imported only the target from a saved scan, then added 200 pages to scan -> same problem, some requests and then it becoming slow down - scan with a new clean burp, same site, about 200 url to scan -> work perfectly The problem seems to be the target that is really big, please note that the project of the burp is about 700MB. There is a way to tell to burp to scan but don't touch or add anything to the target area? If needed I can provide access to the machine via remote desktop/teamviewer to the developers. Maurizio

Burp User | Last updated: Sep 19, 2016 05:19PM UTC

Hi, Just to update my testing progress. I shut down everything and then started burp with -Xmx6144m (usually -Xmx4096m) to see if this would help a bit. I restored my state from a url capture that had not done any scanning yet. Instead of scanning everything, I only scanned 1 section that had the urls where it was getting stuck (total of 43 url's to scan). I set it to switch off the static code analysis in Burp’s Scanner options . Started scanner. The first few url's (not the problem ones) where scanned right away, and 100% complete, and then it hit the ones that gave problems in previous scan. CPU was up to 100%. It appears to be stuck as before. I went to lunch and didn't look at it for at least an hour. Now it is showing me almost the same as before I left, except 3 of the 10 URLs are now at 3% complete and have had more requests (from 15 to 66). If I had to guess, I'd say 'maybe' it is working but is really, really slow. I'll just let it run and see where it's at tomorrow. Matt.

Burp User | Last updated: Sep 20, 2016 01:23PM UTC

Hi, I'm running the jar. I ended up stopping my test shortly after posting above that I would let it run so I could update to the latest java (1.8.0.101) and the latest BURP 1.7.06. I restarted an let it go. It's been running about 19 hours now. About a third of the URLs are 65% done, the others 35%. At this rate, looks like it will take 2 days to complete... and this is just 10 URLs and I have many more of the same.... Matt.

PortSwigger Agent | Last updated: Sep 20, 2016 01:30PM UTC

Thanks for this feedback. One other question: does the problem arise when using a disk-based project, a temporary project, or both?

Burp User | Last updated: Sep 20, 2016 01:54PM UTC

Hi Dafydd, nope, always used the JAR file. Please note that the scan doesn't stop completly, it's only very very slow, about 10 seconds per requests caused by the CPU overload. If needed we can execute specific test or let you get in the machine. Maurizio

Burp User | Last updated: Sep 20, 2016 02:42PM UTC

I'm using temp project. I load from a config file. Then I load my saved state. Then I run a scan. I can also let you access my machine if required. Matt.

PortSwigger Agent | Last updated: Sep 20, 2016 03:14PM UTC

@Maurizio Support for state files is always backwards compatible but not forwards compatible. So there isn't a way to create a state file in one version of Burp and reliably open it in an earlier version of Burp, sorry.

Burp User | Last updated: Sep 20, 2016 03:50PM UTC

Testing with temporary project, at the beginning is faster than with the normal project, but in any case it slow down after some minutes... Maurizio

Burp User | Last updated: Sep 20, 2016 08:50PM UTC

Is there any way to see what is going on under the covers while scanning is in progress? Is there a way to see a log file for what BURP is doing? Is it taking its time because it is doing a lot of preparing for running tests? I reloaded my state where it had already done some progress on scanning, and I cancelled all the problem URL, and re-started a scan. It went along and did a bunch more scanning, but eventually hit some URLs that it has been stuck on for a while now. It's not as bad as the other ones, but still pretty annoying that it's this slow. I wish I knew what was happening. On my server that BURP is hitting, I turned on IIS logging, and I can see that its hitting it in bunches at times, and then there are large gaps in time between when the next URL's get logged. The "time taken" column for these entries are all quick. So the large gaps in time seem to be caused by BURP not hitting the server. The gaps in time are various, but usually about 1 to 2 minutes. I've seen a few that were 5-6 minutes. Anyway, I'll let it run all night as I'm leaving to go home soon. Guess we'll see how far it got when I come in tomorrow. Matt.

Burp User | Last updated: Sep 21, 2016 08:47AM UTC

There is any way to export the burp target part from the latest version to a state compatible with release 1.6.x? I tryied the normal save state but when the import to the old version some error occur and I get only a part of the target. Maurizio

PortSwigger Agent | Last updated: Sep 21, 2016 09:20AM UTC

We've now managed to reproduce this problem and are investigating the root cause. Thanks for your feedback.

Burp User | Last updated: Sep 21, 2016 09:59AM UTC

Any news about the scan issue? I have to decide today if we need to start again the scans from the scratch with burp 1.6. Maurizio

Burp User | Last updated: Sep 21, 2016 01:38PM UTC

Hi, I came in this morning to find that it is still chugging along, doing the scan, but very slowly. Some of the items in the queue took over 6 hours to complete. This particular scan has over 4200 items in the queue. Historically with older version of BURP, I would have been able to get the complete scan done in about 2 days. At the rate it is going, this will take probably well over a week. And this is only part of what I need to do (I broke it up into 4 pieces). I need to use a newer version of BURP because I need to find XXE errors primarily, and I don't think this was available in older 1.6 versions. Maybe what I can do is only scan for XXE (currently scanning for everything). Which option specifically scans for XXE errors? Matt.

PortSwigger Agent | Last updated: Sep 23, 2016 09:10AM UTC

Just to let you know we've now released a fix for this problem (Burp 1.7.07). Thanks again to everyone who helped with investigating this issue.

Burp User | Last updated: Sep 23, 2016 05:22PM UTC

Great! Thanks. I'm re-running my scan now, and it definitely seems to be working much faster and is no longer using all the CPU.

PortSwigger Agent | Last updated: Sep 26, 2016 08:09AM UTC

Please can you try 1.7.22 as we made some further performance enhancements in that release? If anyone is still seeing unexpectedly high memory/CPU utilization during scanning the latest release, please can you email support@portswigger.net with full details so that we can investigate properly? Thanks.

Burp User | Last updated: Dec 02, 2016 03:13PM UTC

I posted in another thread on this topic - with the latest version using the installer, windows 64 bit, I am experiencing these issues still and they are painful!

Burp User | Last updated: Dec 08, 2016 08:59PM UTC

I'm using the installer, windows 64 bit and the problem is still there. 1.7.13.

Burp User | Last updated: May 02, 2017 03:55PM UTC

Still facing same issue :( even in Burp Suite Pro 1.7.21

Burp User | Last updated: Jul 14, 2017 06:44PM UTC

I see similar problem suddenly (did not have this problem a couple months ago). I am using 1.7.23. I can restore a state, restart the scanner, it runs for a few minutes, slowing, then completely stops making any progress in any "thread." No, CPU does not go high, it drops to zero. If I save the state, restart BurpSuite, restore state, I can get a few more minutes of scanning before it stops again. I have emailed my state to support, just posting here to confirm that the problem still exists.

Liam, PortSwigger Agent | Last updated: Jul 17, 2017 07:18AM UTC

There is no upgrade to the Burp Scanner. It could be any number of things causing Burp Scanner to run slowly. It could be the size of the application, the amount of inputs / insertion points or even the amount of cookies on each individual page. It could also be that you are testing a slow application. We have a few questions and suggestions that might help us help you: 1. Have you tried switching off individual scan areas to determine if it is a specific check that is causing this issue? 2. If you install Logger++ and view the Scanner activity, do you notice any particular scans that are running slowly? 3. Have you tried reducing the number of threads or throttling the scanner?

Burp User | Last updated: Sep 04, 2017 06:35AM UTC

Hi Team, We are also facing similar issue with 1.7.26. Scanner is very slow and taking almost 2 days to complete the scan.Can you please let us know should I consider any special settings change in new version 1.7.26. Does Burp has any upgrade to the scanner?. Thanks, Madhan

Burp User | Last updated: Nov 07, 2017 12:13PM UTC

Hi Team, Is there a way to reduce the number of request per scan item? Thank you Megha

Liam, PortSwigger Agent | Last updated: Nov 07, 2017 12:16PM UTC

Have you tried using the Active Scanning Optimization settings in the Scanner > Options tab?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.