PROFESSIONALCOMMUNITY
URL-matching rules
-
Last updated: September 14, 2023
-
Read time: 2 Minutes
Burp Suite uses URL-matching rules to define the Target scope. These rules also define the scope for other features:
- Individual functions, such as live tasks.
- Identification of URLs that return streaming responses.
- Session handling rules.
You can configure URL-based scoping in normal or advanced mode. Normal mode performs better in most situations. Advanced mode provides more power and flexibility where needed. The scope control rules are not case-sensitive.
Normal scope control
Normal scope control enables you to quickly specify URL prefixes for items that are in or out of scope. You can include a specific protocol in each prefix. If you omit the protocol, the rules match both HTTP and HTTPS.
Examples of valid URL prefixes are:
-
http://example.com/path
. -
https://example.com/admin
. -
example.com
. -
example.com/myapp/
. -
http://example.com:8080/login
.
Note
Wildcard expressions are not supported in simple URL prefixes.
Advanced scope control
Advanced scope control uses URL-matching rules rather than simple prefixes. For a URL to match the rule, it must match all the specified features:
- Protocol - Select the protocol that the rule must match: HTTP, HTTPS, or any.
- Host or IP range - Enter a regular expression to match the hostname, or an IP range. You can use various standard formats, for example 10.1.1.1/24 or 10.1.1-20.1-127. Leave the host field blank to match URLs that contain any host.
- Port - Enter a regular expression to match one or more port numbers. Leave the field blank to match URLs that contain any port.
- File - Specify the file portion of the URL for the rule to match. Query strings are ignored. You can enter a regular expression to match the required range of URL files. Leave the file field blank to match URLs that contain any file.
The easiest way to create an advanced URL-matching rule is to copy the relevant URL:
- Copy the URL from a browser or a file.
- Go to Target > Scope.
- Click Paste URL in Include in scope or Exclude from scope.
This creates a rule that matches the URL and any other addresses that have the URL as a prefix: Burp places a wildcard at the end of the file expression. To fine-tune the URL-matching, click Edit.
To load a list of items from a text file, click Load. Make sure that each item in the list is either a URL or a hostname. Burp creates a rule for each item.
Note
Regex isn't currently supported for loading port or file information from a text file.