Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burpsuite Enterprise: Crawling and scoping

Beth | Last updated: Mar 25, 2019 02:55PM UTC

Is there any documentation on how crawling/scoping works in Burpsuite Enterprise? We've tried all of the crawl scan configurations along with varying combinations of "Add all links to site map" and/or "Add reqested items to site map" but have been unable to reproduce the same findings found using Burpsuite Pro. It seems the only thing that works is manually adding subdomains in "included URL's" to get results.

Burp User | Last updated: Mar 25, 2019 02:57PM UTC

Adding more details to case: We've tried all of the crawl scan configurations along with varying combinations of "Add all links to site map" and/or "Add requested items to site map" but have been unable to reproduce the same findings found using Burpsuite Pro. It seems the only thing that works is manually adding subdomains in "included URL's" to get results. Specific Example: In Burpsuite Enterprise, We added included URL juice-shop.herokuapp.com, selected scan configurations crawl (tried all), also tried "add links..." and "add requested..", and the only real finding is "Strict transport security not enforced". If you spider/scan the same domain in Burpsuite pro, there are many high findings. On specific high finding of Cross-site Request Forgery finding is found under https://juice-shop.herokuapp.com/api/Users. (This is not found in Burpsuite Enterprise). In Enterprise, No matter which combination of crawl/audit configurations at selected, there are no findings of interest unless you manually add items like (/api/Users) to included URLs. We've even tried importing the Burpsuite Pro configurations exported as json in to Enterprise and none of the high findings are found in Enterprise.

Liam, PortSwigger Agent | Last updated: Mar 25, 2019 04:04PM UTC

Thanks for the additional information Beth. Burp Pro and Enterprise use the same crawl and scan engine. Which version of Burp Suite Pro are you using?

Burp User | Last updated: Mar 25, 2019 07:43PM UTC

Pro version 1.7.3.7.

Liam, PortSwigger Agent | Last updated: Mar 26, 2019 02:10PM UTC

The reason you're seeing a difference between Burp Pro and Enterprise is because Burp 1's spider function works differently to the crawl engine in Burp 2 and Burp Enterprise: - https://portswigger.net/blog/burps-new-crawler These products don't currently handle JavaScript heavy applications. We're currently working on an enhancement to these features that will be an upgrade on Burp 1. Unfortunately, we can't provide an ETA, however, we will update you when we've made some progress. Please let us know if you need any further assistance.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.