Hi PortSwigger team,
We have an internal test application that we know to have an XSS issue in a pre-authentication login page.
The issue was identified by the Burp Pro scanner, but not by the Enterprise Edition.
The scan agent versions are the same (2.1.04) and the url is the same for both scans.
It looks like the Pro scanner is seeing 11 insertion points (in the audit items tab) whereas the Enterprise edition is reporting “Number of locations: 1”.
The Enterprise Edition is using the same configuration file that I’ve exported from the Pro edition.
I guess it’s difficult to diagnose just from those details but I can provide screenshots/config files if needed.
Essentially, we want assurances that the Enterprise edition will find the same issues as previous testing using the Pro version. Am I missing something in the configuration stage?
Thanks very much,
Hi Laurence, I have replied to your email about this query, but I will post the response here also.
Burp Suite Professional & Enterprise use the same scanning engine, so therefore, in theory, they should produce the same results when given the same configuration at the same target. However, there are quite a few factors that could influence this.
In Burp Suite Professional, there are additional features that can be applied during scanning such as Session Handling Rules with Macro’s, Cookie Jar configuration, Resource Pool configuration, and Extensions. All of which can influence the results of the scan output from Professional, which could be the reason why you are getting additional results.
Can you clarify that the testing you performed on Burp Suite Professional was with a ‘vanilla’ installation of Burp Suite Professional?
Can you also clarify if Burp Suite Professional scanned the application once or are these results consistent across multiple scanning operations?