Research Academy
My account Customers About Blog Careers Legal Contact Resellers

PROFESSIONALCOMMUNITY

URL-matching rules

  • Last updated: July 6, 2023

  • Read time: 2 Minutes

Burp Suite uses URL-matching rules to define the Target scope. These rules also define the scope for other features:

You can configure URL-based scoping in normal or advanced mode. Normal mode performs better in most situations. Advanced mode provides more power and flexibility where needed. The scope control rules are not case-sensitive.

Normal scope control

Normal scope control enables you to quickly specify URL prefixes for items that are in or out of scope. You can include a specific protocol in each prefix. If you omit the protocol, the rules match both HTTP and HTTPS.

Examples of valid URL prefixes are:

  • http://example.com/path.
  • https://example.com/admin.
  • example.com.
  • example.com/myapp/.
  • http://example.com:8080/login.

Note

Wildcard expressions are not supported in simple URL prefixes.

Advanced scope control

Advanced scope control uses URL-matching rules rather than simple prefixes. For a URL to match the rule, it must match all the specified features:

  • Protocol - Select the protocol that the rule must match: HTTP, HTTPS, or any.
  • Host or IP range - Enter a regular expression to match the hostname, or an IP range. You can use various standard formats, for example 10.1.1.1/24 or 10.1.1-20.1-127. Leave the host field blank to match URLs that contain any host.
  • Port - Enter a regular expression to match one or more port numbers. Leave the field blank to match URLs that contain any port.
  • File - Specify the file portion of the URL for the rule to match. Query strings are ignored. You can enter a regular expression to match the required range of URL files. Leave the file field blank to match URLs that contain any file.

The easiest way to create an advanced URL-matching rule is to copy the relevant URL:

  1. Copy the URL from a browser or a file.
  2. Go to Target > Scope.
  3. Click Paste URL in Include in scope or Exclude from scope.

This creates a rule that matches the URL and any other addresses that have the URL as a prefix: Burp places a wildcard at the end of the file expression. To fine-tune the URL-matching, click Edit.

To load a list of items from a text file, click Load. Make sure that each item in the list is either a URL or a hostname. Burp creates a rule for each item.

Note

Regex isn't currently supported for loading port or file information from a text file.

Was this article helpful?