įor example, a project may include the URL: A URL will only be in scope for a project if it matches something in the include list and doesn’t match anything in the exclude list. Target scope in Burp Suite is based exclusively on URLs. This allows the tester to list which hosts and URLs will be targeted (i.e., attacked) and which will be excluded. With the scope of an engagement defined, testers will configure a target scope within Burp Suite for each testing project to specify what will and will not be tested. Typical Burp Suite users include penetration testers, internal security teams, and bug bounty hunters.
Together these tools support the entire testing process-from initial mapping and analysis of an application's attack surface to finding and exploiting security vulnerabilities. The suite integrates basic tools, including:
Bug bounty scopes, in particular, frequently list which testing techniques are (and aren’t) allowed and which vulnerability categories the organization is (and isn’t) willing to pay out for.īurp Suite-often referred to simply as Burp-is a suite of tools used to test the security of web applications. Alternatively, an engagement could have a far broader scope that includes a range of critical assets.Ī scope can include more than just which assets are to be tested. In that case, the scope would only include that application, with all other assets and infrastructure falling out of scope. The organization running the engagement defines the scope, usually with assistance from their vendor or bug bounty provider, to make sure it is accurate.įor example, the purpose of an engagement may be to test a specific, newly-launched application. The purpose of defining an engagement’s scope is to focus testers’ energy on the assets, attack vectors, and vulnerability types that most concern the organization. In penetration testing and bug bounty, scope defines the boundaries of an engagement-what is and isn’t to be included in testing.
If you’re already familiar with Burp Suite and the general idea of scope in software testing, skip down and start reading the section that covers Scope Management. This post will start with the basics of defining scope and how ethical hackers and testers use it in their testing workflow.
0 kommentar(er)
