Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Running Spider / Scanner Clobbers Server (or just CF service)

Darcy | Last updated: Jun 27, 2019 10:44PM UTC

Hi there. I'm not blaming Burp Suite here, as we've encountered the same thing with some other web app scanners, but I'm hoping for some Burp-specific advice. When we run a typical, basic spidering / scanning of a target, the spider and scanner seem to function fine for their duration, but in so doing they completely clobber the development server (it may just be ColdFusion that gets clobbered) that they're scanning such that no site hosted on that server that's being spidered / scanned can be browsed until such time as either the CF service or the entire box is restarted. We've set both the Burp Scanner and Spider to throttle between requests for 100ms but that's about all that we've done to deviate from "defaults" at this point, as this is all very new to us. Any thoughts would be appreciated. Thanks.

Liam, PortSwigger Agent | Last updated: Jun 28, 2019 09:23AM UTC

It sounds like you're doing the right thing by using the throttle. You should continue to increase the throttle until Burp scans without knocking over the server and the application has good accessibility during the scan. It's although worth noting that a slow server could cause inconsistent results with scanning. Like any security testing software, Burp Suite contains functionality that can damage target systems. Testing for security flaws inherently involves interacting with targets in non-standard ways that can cause problems in some vulnerable targets. You should take due care when using Burp, read all documentation before use, back up target systems before testing. Please let us know if you need any further assistance.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.