Burp Suite, the leading toolkit for web application security testing

Target Scope

The target scope configuration lets you tell Burp, at a suite-wide level, exactly what hosts and URLs constitute the target for your current work. You can think of the target scope as, roughly, the items that you are currently interested in and willing to attack.

This configuration affects the behavior of tools throughout the suite. For example:

By telling Burp what your current target is, you can ensure that Burp carries out numerous such actions in an appropriate way, only targeting items that you are interested in and willing to attack. In all cases, you can additionally fine tune the target scope and the associated behavior at the level of individual tools, giving you fine-grained control over everything that Burp does, if you need it. However, the suite-wide scope definition provides a quick and easy way to tell Burp what is fair game and what is off limits, and is almost always worth configuring before you begin your work in earnest.

The scope definition uses two lists of URL-matching rules - an "include" list and an "exclude" list. When Burp evaluates a URL to decide if it is within the target scope, it will be deemed to be in scope if the URL matches at least one "include" rule and does not match any "exclude" rules. This enables you to define specific hosts and directories as being generally within scope, and yet exclude from that scope specific subdirectories or files (such as logout or administrative functions).

You can add or edit rules on the "include" and "exclude" lists using the URL-matching rule editor. However, in most cases, by far the easiest way to define your target scope is via the site map. As you map out the target application via Burp Proxy, the application's content will appear in the site map. You can then select one or more hosts and folders, and use the context menu to include or exclude these from the scope. This process is extremely easy and in most situations will let you quickly define all of the rules necessary for your testing.

Support Center

Get help and join the community discussions at the Burp Suite Support Center.

Visit the Support Center ›

Monday, January 16, 2017


This release adds various enhancements and fixes:

  • There is a new command-line option to launch Burp with a specified user configuration file.
  • A bug that was recently introduced that prevented license activation in headless mode has been fixed.
  • The Content Discovery function now correctly handles applications that have wildcard behavior for file extensions (e.g. those that return a specific response for admin.xxx regardless of the file extension). This eliminates the only known false positives reported by the new Content Discovery engine.

See all release notes ›

Copyright © 2016 PortSwigger Ltd. All rights reserved.