Burp Suite Active Scanning Wizard options

Question

I have been making use of Burp Suite's active scanning functionality for some of my recent web application assessments and I had some questions about the active scanners ability to remove urls from the scan queue that have particular characteristics such as being a media response or having a certain file extension.

Often times after spidering a site I will get inundated with urls that have no parameters which significantly extends my time spent scanning using this tool. With all this said, my main question is what are the repercussions of removing urls of this type from my active scanning queue and what other concerns arise when skipping over urls of this type during a application assessment. Will the quality of scans decrease much in excluding these urls?

Answer 1

It is best to plan out and control each URI (params or not) sent to the active/passive scanning engine.

The target analyzer in the engagement tools (typically selected from the Target sitemap tab as "Analyze target") is a great place to select parameters and then "send to Intruder". Typically, you can customize your fault injection strategies in Intruder by automating what to send to the Scanner as well as by using the full Intruder functionality. The former is accomplished by customizing each insertion point by position and selecting "Actively scan defined insertion points" from the Intruder menu. The latter can be accomplished by using the full Intruder functionality with a standard set of fault-injection lists, such as the SecLists project found in Kali Linux.

To answer your question fully, it is best to understand the application. Sometimes parameters are part of the URI, such as in a RESTful-based app or one that uses a controller-action-id paradigm. Learn more about HTTP security from Daniel Miessler's blog. Thus, it is important to map the functionality of the app in the Target tab, understand the parameters and logic before even moving to the Target Analyzer, and selecting all appropriate positions and testing each insertion point with the correct payloads and response analyses. Often this is best done in the Burp Repeater, perhaps even along with the browser -- all too often applet, ActiveX, Ajax, Flash, or Silverlight parameters are missed in the test plan!