Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Burp Automated Scan using Macro not spidering all url's

deepak Oct 17, 2019 08:15AM UTC

Hello,

I am using the Burp API to automate the scans on Burp Suite v1.7.31
After creating a macro, I am supplying credentials and I am able to login later using the macro. However, Burp is only able to spider or crawl the macro url and not spidering or scanning automatically for other url's.

The only request as part of my macro is the login request. The scope is intended to scan all url's but burp ends up spidering only the login request and the response re-direction url, if any and stops.

Can anyone confirm if it is possible to use a macro and scan all url's of an application dynamically via such automation or the list of url's need to be added manually/manual spidering is required.


Mike Eaton Oct 17, 2019 10:55AM UTC Support Center agent

Hi, we responded to your email about this issue 18 minutes ago, I will post our reply here in case you haven’t received it.

Yes, your Macro should not effect Burp Scanners’ ability to continue scanning after you have successfully authenticated with an application.

Can you provide us with examples of your Session Handling Rules configuration and a description of what authentication requirements your target application has?


Laura Oct 30, 2019 09:50PM UTC
Hello,

Any updates on this please? Mike, can you provide please a link to a tutorial how to use Burp for automated login on web apps with csrf scan and then actually start the scan?

I have found this link but not saying how to start the scan, where to enter credentials

https://support.portswigger.net/customer/portal/articles/2906338-using-burp-s-session-handling-rules-with-anti-csrf-tokens


I would to scan a web app with csrf token, I have added a macro selecting the /login Get request where the token appears, set session handling rules but there is no option to scan using this macro in 2.1.04 version, where can I find support, please? I have bought a license for Professional Use

Thank you!

Mike Eaton Nov 01, 2019 09:15AM UTC Support Center agent

Hi Laura, when you define a session handling rule, in the ‘Scope’ tab you select the tool(s) that the rule applies to and the scope of what URLs will use this rule when utilizing one of the tools previously selected.

In your case, you will need to select the scanner to apply this rule and set the scope to include the URL you are scanning. The macro should then be used when you execute a scan against that target application.


Post Your public answer

Your name
Your email address
Answer