Targeted vulnerability scanning for burp suite.
Making burp scan every vulnerability for even a single insertion point defined inside Intruder may sometimes take up to 2-3 days! In a time constraint environment (ahem... the Portswigger exam...), there is no need to scan all issues in the world. We should only launch specific vulnerability scan in places of suspicion so that the scan complete within minutes instead of hours or days.
Where are custom scanner audit files located?
$ ~/.BurpSuite/ConfigLibrary
- Add the JSON files to the default Burp directory where audit files are located.
- Each time you send a request to intruder tab and add an insertion point, right click to get context menu.
- Choose Scan defined insertion points > Open Scan Launcher > Scan configuration > Select from library > Custom
Out-of-band detection for various vulnerability class so far has been doing pretty well.
Following are the labs that has been tested on with pretty good detection:
- Blind OS command injection with out-of-band interaction
- Blind SQL injection with out-of-band interaction
Following are the labs that has performed poorly in detection (targetted scan or just plain scan-all active scan):
- Blind SQL injection with time delays
- Blind SSRF with out-of-band detection
- Server-side template injection in an unknown language with a documented exploit
- Server-side template injection using documentation
Test the effectiveness of the configuration on more burp labs.