Passive-aggressive scan checks

Here at PortSwigger, our goal is to enable the world to secure the web. Our scanner sits at the core of this value - quickly surfacing issues and vulnerabilities that may be present in a web application.

However, lately we’ve become concerned that some discovered issues aren’t being taken seriously enough, particularly those found whilst passively browsing. Although these passive vulnerabilities aren’t as juicy as your RCEs or your SSRFs, we can’t sleep soundly at night until we know they’re all fixed.

To this end, we put our heads together on the scanner team and came up with a few ideas:

• What if we increase the font size for the advisories of passive issues? Too small …
• How about we randomly delete a system file every time a passive issue is found? Too big …
• Could we make Burp Suite actually burp in the presence of passive issues? It’s been done before …

When we spoke to our marketing folks, they made it very clear that we’re not allowed to be straight up hostile with our users. In fact, they couldn’t stress this enough.. back to the drawing board again. Then it hit us: what if there’s a way to really push users towards fixing these vulnerabilities without them (or marketing) realizing that’s what we are doing.

With all of this in mind; I’m pleased to announce that, as of today, all passive checks detected by Burp Scanner will be replaced with passive-aggressive checks! Here’s a sneak preview:

We really hope our users enjoy this new update and that it encourages remediation of these important issues. It should hit Burp Suite's Stable release channel by midday today: April 1st.

Burp Suite

Tom Shelton-Lefley

@TomLefley