Stratos Ally

Subscribe
Subscribe
Facebook-square Instagram Linkedin Youtube X-twitter

Scope Settings in BurpSuite 

Picture of StratosAlly

StratosAlly

Facebook-square Instagram Linkedin Youtube X-twitter
BurpSuite Dashboard – Part 2 


The Target > Scope settings panel in BurpSuite allows you to specify which hosts and URLs are to be included in your testing activities. This feature offers several benefits, such as: 

  • Filtering capabilities: Enhance the clarity of the site map and proxy history by filtering to display only items within the defined scope. 
  • Proxy configuration: Set up Burp Proxy to exclusively log or intercept requests that fall within the scope. This not only minimizes distractions from irrelevant requests but also helps prevent unauthorized testing of endpoints or hosts. 
  • Automated redirection handling: Adjust Burp Intruder and Burp Repeater to seamlessly handle automatic redirections to URLs that are within the scope. 
  • Live task configuration: Implement a live task to enable Burp Scanner to perform real-time audits of requests that are within the scope as you navigate through the web. 

Scope Control 

  • Normal 

Standard scope management allows for the swift designation of static URL prefixes to determine which are included or excluded from the scope. It’s possible to clearly define the protocol for each prefix. Omitting the protocol means the rule is applicable to both HTTP and HTTPS protocols.A screenshot of a computer Description automatically generated 

  • Advanced 

Enhanced scope management utilizes dynamic URL-matching criteria instead of fixed prefixes. For a URL to conform to a rule, it must align with all the outlined characteristics: 

  • Protocol: The specific protocol the rule targets: HTTP, HTTPS, or any protocol. 
  • Host or IP range: A pattern or IP range to match the host. Standard notations like 10.1.1.1/24 or 10.1.1-20.1-127 are usable. For universal host matching, this parameter can be left empty. 
  • Port: A pattern to identify one or several port numbers. An empty field signifies a match with any port in a URL. 
  • File: The segment of the URL that represents the file or directory to be matched. Query parameters are not considered. Input a pattern to match a spectrum of URL file paths. To accommodate any file or directory, keep this field unfilled. 

To activate enhanced scope control, opt for the ‘Use advanced scope control’ option. To generate a novel URL-matching rule, select ‘Add’ and manually input the necessary details. 

BurpSuite can also automate rule creation based on provided URLs. Available methods include: 

  • Selecting ‘Paste URL’ to apply a URL from the clipboard. 
  • Using ‘Load’ to import a collection of URLs or hostnames from a text document. 
  • Executing a right-click on a request within any of Burp’s tools and choosing ‘Include in scope’ or ‘Exclude from scope’ for rule application. 

more Related articles

READ ALL