You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What requests need to be Active Scanned for the checks to work ? Client, Authorization server, Protected Resource or all ? If the Authorization Server is out of scope and cannot be scanned will the plugins active scan checks still be able to test the Client or protected resource parts only ?
Also what scan strategy should be used ? Create a new Live Audit Task in Burp and walk through the authentication flow as an end user ? If so can this be created as an extension only scan with oAuthScan as the only enabled ?
Thanks
The text was updated successfully, but these errors were encountered:
You can scan all the requests involved during the specific Oauth/OpenID authentication/authorization procedure. If Authorization Server is out of scope don't use the active scan. Like other Burp plugins, the fastest (and less intrusive) active scan option is to choose the extension-only scan with only OAUTHscan enabled.
What requests need to be Active Scanned for the checks to work ? Client, Authorization server, Protected Resource or all ? If the Authorization Server is out of scope and cannot be scanned will the plugins active scan checks still be able to test the Client or protected resource parts only ?
Also what scan strategy should be used ? Create a new Live Audit Task in Burp and walk through the authentication flow as an end user ? If so can this be created as an extension only scan with oAuthScan as the only enabled ?
Thanks
The text was updated successfully, but these errors were encountered: