Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question regarding Active Scan #6

Closed
AkikoOrenji opened this issue Nov 17, 2022 · 1 comment
Closed

Question regarding Active Scan #6

AkikoOrenji opened this issue Nov 17, 2022 · 1 comment

Comments

@AkikoOrenji
Copy link

What requests need to be Active Scanned for the checks to work ? Client, Authorization server, Protected Resource or all ? If the Authorization Server is out of scope and cannot be scanned will the plugins active scan checks still be able to test the Client or protected resource parts only ?
Also what scan strategy should be used ? Create a new Live Audit Task in Burp and walk through the authentication flow as an end user ? If so can this be created as an extension only scan with oAuthScan as the only enabled ?

Thanks
@akabe1
Copy link
Owner

akabe1 commented Nov 22, 2022

You can scan all the requests involved during the specific Oauth/OpenID authentication/authorization procedure. If Authorization Server is out of scope don't use the active scan. Like other Burp plugins, the fastest (and less intrusive) active scan option is to choose the extension-only scan with only OAUTHscan enabled.

@akabe1 akabe1 closed this as completed Nov 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AkikoOrenji @akabe1