The list below shows all of the types of issues that Burp Scanner can report. The "Type ID" column shows the numeric type identifier used in Burp Scanner's XML output.
Issue Name | Type ID |
OS command injection | 1048832 |
SQL injection | 1049088 |
ASP.NET tracing enabled | 1049216 |
File path traversal | 1049344 |
XML external entity injection | 1049600 |
LDAP injection | 1049856 |
XPath injection | 1050112 |
XML injection | 1050368 |
ASP.NET debugging enabled | 1050624 |
HTTP PUT enabled | 1050880 |
Remote file inclusion | 1051136 |
Cross-site scripting (stored) | 2097408 |
HTTP header injection | 2097664 |
Cross-site scripting (reflected) | 2097920 |
Flash cross-domain policy | 2098176 |
Silverlight cross-domain policy | 2098432 |
HTML5 cross-origin resource sharing | 2098688 |
Cleartext submission of password | 3145984 |
Referer-dependent response | 4194560 |
X-Forwarded-For dependent response | 4194576 |
User agent-dependent response | 4194592 |
Password returned in later response | 4194816 |
Password field submitted using GET method | 4195072 |
Password returned in URL query string | 4195328 |
SQL statement in request parameter | 4195456 |
Cross-domain POST | 4195584 |
ASP.NET ViewState without MAC enabled | 4195840 |
XML entity expansion | 4196096 |
Long redirection response | 4196352 |
Open redirection | 5243136 |
SSL cookie without secure flag set | 5243392 |
Cookie scoped to parent domain | 5243648 |
Cross-domain Referer leakage | 5243904 |
Cross-domain script include | 5244160 |
Cookie without HttpOnly flag set | 5244416 |
Session token in URL | 5244672 |
Password field with autocomplete enabled | 5244928 |
Password value set in cookie | 5245184 |
File upload functionality | 5245312 |
Frameable response (potential Clickjacking) | 5245344 |
Browser cross-site scripting filter disabled | 5245360 |
TRACE method is enabled | 5245440 |
Database connection string disclosed | 6291584 |
Source code disclosure | 6291632 |
Directory listing | 6291712 |
Email addresses disclosed | 6291968 |
Private IP addresses disclosed | 6292224 |
Social security numbers disclosed | 6292480 |
Credit card numbers disclosed | 6292736 |
Robots.txt file | 6292992 |
Cacheable HTTPS response | 7340288 |
Base64-encoded data in parameter | 7340544 |
Multiple content types specified | 8388864 |
HTML does not specify charset | 8389120 |
HTML uses unrecognized charset | 8389376 |
Content type incorrectly stated | 8389632 |
Content type is not specified | 8389888 |
SSL certificate | 16777472 |
Extension-generated issue | 134217728 |
Get help from other users, at the Burp Suite User Forum:
This release adds support for WebSockets to the Proxy tool. You can now view, intercept and modify WebSockets messages in the same way as regular HTTP messages.
The Scanner's support for nested insertion points has been updated to support nested data in URL-encoded query string format and precise highlighting of relevant syntax in reported Scanner issues.