login

Burp Suite, the leading toolkit for web application security testing

Target Scope

The target scope configuration lets you tell Burp, at a suite-wide level, exactly what hosts and URLs constitute the target for your current work. You can think of the target scope as, roughly, the items that you are currently interested in and willing to attack.

This configuration affects the behavior of tools throughout the suite. For example:

By telling Burp what your current target is, you can ensure that Burp carries out numerous such actions in an appropriate way, only targeting items that you are interested in and willing to attack. In all cases, you can additionally fine tune the target scope and the associated behavior at the level of individual tools, giving you fine-grained control over everything that Burp does, if you need it. However, the suite-wide scope definition provides a quick and easy way to tell Burp what is fair game and what is off limits, and is almost always worth configuring before you begin your work in earnest.

The scope definition uses two lists of URL-matching rules - an "include" list and an "exclude" list. When Burp evaluates a URL to decide if it is within the target scope, it will be deemed to be in scope if the URL matches at least one "include" rule and does not match any "exclude" rules. This enables you to define specific hosts and directories as being generally within scope, and yet exclude from that scope specific subdirectories or files (such as logout or administrative functions).

You can add or edit rules on the "include" and "exclude" lists using the URL-matching rule editor. However, in most cases, by far the easiest way to define your target scope is via the site map. As you map out the target application via Burp Proxy, the application's content will appear in the site map. You can then select one or more hosts and folders, and use the context menu to include or exclude these from the scope. This process is extremely easy and in most situations will let you quickly define all of the rules necessary for your testing.

Support Center

Get help and join the community discussions at the Burp Suite Support Center.

Visit the Support Center ›

Wednesday, April 22, 2015

v1.6.17

This release contains a number of minor enhancements and bugfixes, including:

  • The Proxy now uses SHA256 to generate its CA and per-host certificates
  • There is a new button at Proxy / Options / Proxy Listeners to force Burp to regenerate its CA certificate.
  • A bug in the "Paste from file" function which caused Burp to sometimes retain a lock on the selected file has been fixed.
  • A bug in the Intruder "extract grep" function, which sometimes caused extracted HTML content to be rendered as HTML in the results table, has been fixed.

See all release notes ›

Copyright © 2015 PortSwigger Ltd. All rights reserved.