Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Burp 2.x does not passively scan certain content types it did in 1.7

Seth Jackson Jan 28, 2019 04:17PM UTC

In Burp 1.7.x Burp would find issues like 'Email address disclosed' on non-HTML content types.

For example if the following was served in 'emails.txt' with Tomcat:

test@gmail.com
fake@gmail.com

Burp 1.7.x would find and report the 'Email address disclosed' issue.

In Burp 2.x that is no longer the case. Burp will not show these in the passive audit task and therefore the issue will not get reported anymore.

This also happens for other content types like CSS and JS.

This also trickles down to extensions as the 'doPassiveScan' is not getting called for text, CSS and JS content types in my testing.

I tested this using the Burp 1.7.37 installer and Burp 2.0.14beta installer on Windows.


Paul Johnston Jan 30, 2019 11:51AM UTC Support Center agent

Thanks for letting us know about this. This is a bug which we will resolve in a future version.


Seth Jackson Feb 15, 2019 02:20PM UTC
This is fixed in 2.0.16.

Liam Tai-Hogan Feb 15, 2019 02:33PM UTC Support Center agent

Thanks for letting us know Seth.


Post Your public answer

Your name
Your email address
Answer