Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Scope Control

Austin | Last updated: Mar 29, 2018 12:52PM UTC

Domains can be in one of three states: in scope, out of scope, or undecided. A domain is undecided if it is not mentioned by any of the in/out of scope rules. In the site map, I would like Burp Suite to hide domains that I explicitly defined as out of scope, but display everything else (i.e. domains that are in scope as well as domains that are not mentioned in the scope rules). Checking the "Show only in-scope items" box in the filter options does not accomplish this because it hides domains that are undecided. How can I accomplish this?

PortSwigger Agent | Last updated: Mar 29, 2018 01:00PM UTC

Hi Austin, Thanks for your message. At the moment, Burp doesn't have the concept of "undecided" - everything is either in-scope our out-of-scope. The purpose of scope exclusions is to exclude parts of a more general in-scope rule. e.g. http://myapp/ is in scope, but http://myapp/donttouch/ is out of scope. You can get behavior a little like you want by enabling "use advanced scope control" and setting a in scope rule for .* I know a few users do this, although it's not the way we'd envisaged scope being used. Do you want to block some domains because they're causing noise? One option is to use a browser extension like FoxyProxy and configure it so those domains do not go through the proxy. We are looking at making this a Burp feature as well. Please let us know if you need any further assistance.

Burp User | Last updated: May 15, 2018 09:29PM UTC

Thanks for getting back, Paul. Yes, my motivation in asking about this feature is to eliminate noise - e.g. requests made to ad tracking sites, captive portal detectors, and the like. For example, consider that I have http://myapp/ explicitly defined as in-scope, and I have my site map, proxy history, and intercept configured to not show anything out of scope. Suppose a page on http://myapp/ makes a request to load a resource from http://myrelatedapp/ or http://sameappdifferentname/. This request would not show up in my current configuration, and the only way to see it would be to show all items, find the request for http://myrelatedapp/, add it to scope, and then hide out of scope items again. This process is fine for a couple "related apps," but as this number increases it gets very tedious to sort through the noise so many times. I don't quite understand how setting an in-scope rule for .* would help. Can you elaborate on this a little? -A. Dean

PortSwigger Agent | Last updated: May 16, 2018 09:01AM UTC

Hi Austin, Thanks for following up. I understood your difficulty with requests to http://relatedapp/ A scope rule for .* would help because you could then exclude noise domains like Google Analytics. You could also do this using a browser plugin like Foxy Proxy. We will in time make this a core Burp feature. It could be done with an extension now - I think such an extension would be very popular.

Burp User | Last updated: Jun 03, 2018 02:24AM UTC

Hi Paul, I have submitted a similar topic here: https://support.portswigger.net/customer/en/portal/questions/17342540-suite-wide-level-traffic-blacklist?new=17342540 I don't think A scope rule for .* and exclude noise domains is a good idea, because the scope not only effects the HTTP history, it also effects spider or other extenders that use scope. So still expecting new feature, thx!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.