Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

automatically scan the web site

hong | Last updated: Jan 06, 2017 05:11PM UTC

Hi, my goal is to using Burp as a vulnerability scanner and scan the web site automatically. I built site map using spider and content discover, followed the instruction "using burp as a point-and-click scanner". Then I did "active scan" on the host/branch. In the middle of the active scan, seems it automatically logged out of web server, and all the subsequent scan are redirected to log in page, which did not scan the real pages. How do I solve this problem? Also, if I save the site map, I am not able to do "active scan" on the host, since the request has the expired login info, the tokens are all expired. How do I achieve my goal? my plan was to save the site map, and load it each time I need to do automatic scan. Really need some help here! I did set up the user/password in the spider and the options->connections. Thanks

PortSwigger Agent | Last updated: Jan 09, 2017 09:14AM UTC

It sounds like you'll need to configure some session handling rules to do what you want. You can create a session rule that (a) runs a macro to detect whether the session is valid; (b) if not, runs a second macro to perform a login and obtain a valid session. Documentation about Burp's session handling rules is here: https://portswigger.net/burp/help/options_sessions.html

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.