Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Scanning large of threads

Adam | Last updated: Aug 24, 2017 09:08PM UTC

Hello needing help with the best way to scan a website that has over 1000 items to scan. Recently, I have been given a task to scan a internal only website. This website has over 1000 items to scan from the scanning wizard. This is not a fast scan, I have increase the amount of threads will scan to help get this scan done faster. After talking the person that maintains this website, it is going to continue to get bigger. Is there a way to look or set or something that will help scanning this better and faster. Currently this scan will take over a day to run. Any help would be great

Liam, PortSwigger Agent | Last updated: Aug 25, 2017 08:21AM UTC

It could be any number of things causing Burp Scanner to run slowly. It could be the size of the application, the amount of inputs / insertion points or even the amount of cookies on each individual page. It could also be that you are testing a slow application. You could try using a computer with additional processing power. Alternatively you could try using the Distribute Damage extension from the BApp store to ensure you are not repeatedly scanning the same parameters: - https://portswigger.net/bappstore/bapps/details/543ab7a08d954390bd1a5f4253d3763b Also, you can continue adjusting the number of threads and scan settings to refine your scanning. Please let us know if you need any further assistance.

Burp User | Last updated: Aug 29, 2017 02:07PM UTC

Ok, I will try this app out and report back later next month thank you Liam

Liam, PortSwigger Agent | Last updated: Aug 29, 2017 02:11PM UTC

Other than the other options we have suggested, there isn't much more we can suggest to speed up your scans. Is the new application (300 items) you are testing run on the same network as the previous application (1000 items)?

Burp User | Last updated: Sep 06, 2017 03:57PM UTC

Update on using Distribute Damage extension from the BApp store I use the default setting, the website scanning was much slower Then I change the setting to 200 millseconds, same was much slower. I test this out on a website that does take a long time to scan that has under 300 items. Any other ideas

PortSwigger Agent | Last updated: Sep 06, 2017 04:06PM UTC

Hi Adam, Another approach you can take is to reduce the number of scan items. The Active Scan wizard is quite aggressive in how it determines that requests map to endpoints. You can end up with a situation where it scans paths like these separately: /item?id=1 /item?id=2 /item?id=3 In most cases, all these will hit the same controller code, so just scanning one of them is enough. If you manually go through your site map and just do an active scan of the key ones - you may have a far smaller scan.

Burp User | Last updated: Sep 22, 2017 04:30PM UTC

Sorry, I did not see this update again The 300 items is on the same subnet as the 1000 items but not the same device. I thought to try to see what I can find out here.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.