Burp Suite, the leading toolkit for web application security testing

Burp Scanner - Issue Types

The list below shows all of the types of issues that Burp Scanner can report. The "Type ID" column shows the numeric type identifier used in Burp Scanner's XML output.

Issue Name Type ID
OS command injection1048832
SQL injection1049088
ASP.NET tracing enabled1049216
File path traversal1049344
XML external entity injection1049600
LDAP injection1049856
XPath injection1050112
XML injection1050368
ASP.NET debugging enabled1050624
HTTP PUT enabled1050880
Remote file inclusion1051136
File path manipulation1051392
PHP code injection1051648
Server-side JavaScript code injection1051904
Perl code injection1052160
Ruby code injection1052416
Unidentified code injection1052672
Cross-site scripting (stored)2097408
HTTP response header injection2097664
Cross-site scripting (reflected)2097920
Cross-site scripting (DOM-based)2097936
JavaScript injection (DOM-based)2097952
Client-side SQL injection (DOM-based)2097968
WebSocket hijacking (DOM-based)2097984
Local file path manipulation (DOM-based)2098000
Client-side XPath injection (DOM-based)2098016
Client-side JSON injection (DOM-based)2098032
Flash cross-domain policy2098176
Silverlight cross-domain policy2098432
HTML5 cross-origin resource sharing2098688
Cross-site request forgery2098944
Cleartext submission of password3145984
Referer-dependent response4194560
X-Forwarded-For dependent response4194576
User agent-dependent response4194592
Password returned in later response4194816
Password field submitted using GET method4195072
Password returned in URL query string4195328
SQL statement in request parameter4195456
Cross-domain POST4195584
ASP.NET ViewState without MAC enabled4195840
XML entity expansion4196096
Long redirection response4196352
Serialized object in HTTP message4196608
Open redirection5243136
Open redirection (DOM-based)5243152
SSL cookie without secure flag set5243392
Cookie scoped to parent domain5243648
Cross-domain Referer leakage5243904
Cross-domain script include5244160
Cookie without HttpOnly flag set5244416
Session token in URL5244672
Password field with autocomplete enabled5244928
Password value set in cookie5245184
File upload functionality5245312
Frameable response (potential Clickjacking)5245344
Browser cross-site scripting filter disabled5245360
TRACE method is enabled5245440
Cookie manipulation (DOM-based)5245696
Ajax request header manipulation (DOM-based)5245952
Denial of service (DOM-based)5246208
HTML5 web message manipulation (DOM-based)5246464
HTML5 storage manipulation (DOM-based)5246720
Link manipulation (DOM-based)5246976
Document domain manipulation (DOM-based)5247232
DOM data manipulation (DOM-based)5247488
Database connection string disclosed6291584
Source code disclosure6291632
Directory listing6291712
Email addresses disclosed6291968
Private IP addresses disclosed6292224
Social security numbers disclosed6292480
Credit card numbers disclosed6292736
Robots.txt file6292992
Cacheable HTTPS response7340288
Base64-encoded data in parameter7340544
Multiple content types specified8388864
HTML does not specify charset8389120
HTML uses unrecognized charset8389376
Content type incorrectly stated8389632
Content type is not specified8389888
SSL certificate16777472
Extension generated134217728

Support Center

Get help and join the community discussions at the Burp Suite Support Center.

Visit the Support Center ›

Tuesday, March 31, 2015


This release contains various bugfixes and minor enhancements, including:

  • Some bugs in the Target site map, which caused scope-based view filters to be sometimes misapplied, and orphaned tree nodes to occasionally appear, have now been fixed.
  • Burp now detects startup deadlocks caused by extensions, and doesn't reload them on the subsequent startup.
  • Burp now detects failure to delete temporary files on shutdown, and automatically deletes them on the next startup, without prompting the user.

See all release notes ›

Copyright © 2015 PortSwigger Ltd. All rights reserved.