URL-matching rules are used in various locations within Burp, to define
URL-based scoping for various functions, such as general
Target scope, the scope of individual
functions like live scanning,
URLs returning streaming responses,
and the scope of session
Each URL-matching rule can specify various features of the URLs that will
be matched. For a URL to match the rule, it must match all of the features
that are specified by the rule. The following items can be configured:
- Protocol - This specifies the protocol(s) that the
rule will match. Available options are: HTTP, HTTPS, or any.
- Host or IP range - This specifies the host(s) that
the rule will match. You can enter a regular expression to match the hostname,
or an IP range in various standard formats, for example 10.1.1.1/24 or 10.1.1-20.1-127.
If the host field is left blank, then the rule can match URLs containing any
- Port - This specifies the port(s) that the rule
will match. You can enter a regular expression to match one or more port numbers. If the
port field is left blank, then the rule can match URLs containing any port.
- File - This specifies the file portion of the URL
that the rule will match (ignoring any query string). You can enter a regular expression to match
the required range of URL files. If the file field is left blank, then the rule can match
Often, the easiest way to create a URL-matching rule is to copy the
relevant URL to the clipboard from elsewhere (either your browser or from a
request within Burp), and click the "Paste URL" button on the URL-matching
rule dialog. This will create a rule that matches this URL, and also any
others that have this URL as a prefix (Burp places a wildcard at the end of
the file expression). You can then manually edit the rule if required, to
fine-tune the URLs that are matched.
You can also use the "Load ..." button to load a list of items from a
text file. Each item in list should be either a URL or a hostname, and
Burp will create an appropriate rule for each item.
Monday, January 16, 2017
This release adds various enhancements and fixes:
- There is a new command-line option to launch Burp with a specified user configuration file.
- A bug that was recently introduced that prevented license activation in headless mode has been fixed.
- The Content Discovery function now correctly handles applications that have wildcard behavior for file extensions (e.g. those that return a specific response for admin.xxx regardless of the file extension). This eliminates the only known false positives reported by the new Content Discovery engine.
See all release notes ›