Pentagrid Scan Controller

Requirements: This extension uses Hackvertor tags. Make sure Hackvertor is installed and active.

Improve Automated and Semi-Automated Active Scanning

Active Scanning might often do things that don't make much sense, such as scanning GET requests to static .js files or scanning non-repeatable requests. This extension allows you to filter and preprocess according to your needs. It tries to check if a request is repeatable or not. If a request is not repeatable, it tries to make it repeatable by injecting Hackvertor tags. This extension doesn't try to be perfect, but useful. It cuts corners and in some cases simply doesn't scan certain requests. However, the extension individually displays and explains all decisions, allowing you to change the settings if you don't like the behavior.

How to use this extension

Usage is very simple:

• Add the website you test to the scope
• Enable "Proxy requests" in the tab/section "Scan > Options > Requests to process"
• Browse the web application (proxy) by using the Burp built-in browser.
• Check back on the $tabName tab and see which request have been active scanned. Check those that have a high "Interesting" rating but haven't been scanned ("Scanned" column set to false)
• See the Dashboard for Active Scan findings
• It's always good to sort by the reason column in the UI and check the different reasons.