Different Bugs on Re-scanning same project/file
I did a scan a saved its file/script. Now when i run the same script multiple times it shows different results on scanning the same script. It showed only informational issues one time and on running it second time it showed high severity issues (SQL Injection etc).
Why is it not showing same results on re-scanning?
Are you performing a crawl and audit, or just an audit?
Are you using the same configuration each time or is it changing?
Are you scanning the same target each time?
I did an active scan on the same target with same configuration every time. I dont see any Crawl and audit options here.
Can you guide me where i can find these crawl and audit options?
Hi Khizra. Could you tell me what version of Burp Suite you are using, and whether it is Community or Professional?
I am using Burp Suite Professional v1.7.34.
I am curious why does it show different bugs on re-scanning. How does the active scan work and why all those issues are not identified in the very first scan?
Our most up to date version of Burp Suite is 2.1.07. There are a number of major changes that have been implemented since 1.7. You can download the most up to date version of Burp by going to our website portswigger.net and logging in with the account associated with your license.
With regards to 1.7, are you using a live scan or a manual scan (https://support.portswigger.net/customer/portal/articles/1783127-using-burp-scanner)?
I am using Active Scanning. Firstly i browse all the URLs and then add them to scope. After that i start active scan on the target scope.
My Question here is that why is it showing new issues everytime. For example, if i scan a Url once, it shows informational issues on it but on re-scanning it shows very high severity issues on the same Url which was scanned previously and showed low issues? Why does it not identify all issues in one scan on same Url?
Differences in scan results can occur for various reasons – changes in the application code, intermittent network failures, different application data/state causing different crawl paths or issues being observed.
We can probably help you more if you identify specific issues that are changing. You might need to examine the details of the issues affected, to understand why the differences are arising. You could also try tuning Scanner engine. In general, using fewer threads increases determinism by reducing side-effects on the server side due to concurrent access/updates.
You mentioned that you were reusing a script to carry out your scan, are you browsing the URLs each time that you scan or simply rerunning the active scan against an existing site map?
As Hannah mentioned in her previous message, we would always recommend updating to the latest version of Burp Professional (which is currently at 2.1.07) in order to take advantage of the latest functionality and bug fixes available.
I did active scan. First time it showed me all informational/Low issues. On re-scanning the same script, it identified SQL Injection issue. I again scanned the same script, it identified some more new high severity issues like python code injection, Ruby code injection, OS Command Injection. After facing all these issues, i scanned the script again and then again these issues were not there.
At last i created a new script/Project by browsing URLs again, it identified high severity issues again.This is really confusing that it is showing different results every time.
No i am not browsing the URLs each time, i am simply reusing the active scan against the existing site Map.
It would be good to know if you see the same using the latest version of Burp (2.1.07), would you be able to test that for us, please?
As Ben mentioned there can be many reasons why two scans can pick up different issues, to help us understand your setup it might be useful to see some screenshots or a screen recording of the steps you are taking to run the scan and the results at each stage. If you would be happy to send these you can email them to email@example.com.
I will try with latest version of burp and will let you know.