URL-matching rules

Burp Suite uses URL-matching rules to define the Target scope. These rules also define the scope for other features:

• Individual functions, such as live tasks.
• Identification of URLs that return streaming responses.
• Session handling rules.

You can configure URL-based scoping in normal or advanced mode. Normal mode performs better in most situations. Advanced mode provides more power and flexibility where needed. The scope control rules are not case-sensitive.

Normal scope control

Normal scope control enables you to quickly specify URL prefixes for items that are in or out of scope. You can include a specific protocol in each prefix. If you omit the protocol, the rules match both HTTP and HTTPS.

Examples of valid URL prefixes are:

• http://example.com/path.
• https://example.com/admin.
• example.com.
• example.com/myapp/.
• http://example.com:8080/login.

Advanced scope control

Advanced scope control uses URL-matching rules rather than simple prefixes. For a URL to match the rule, it must match all the specified features:

• Protocol - Select the protocol that the rule must match: HTTP, HTTPS, or any.
• Host or IP range - Enter a regular expression to match the hostname, or an IP range. You can use various standard formats, for example 10.1.1.1/24 or 10.1.1-20.1-127. Leave the host field blank to match URLs that contain any host.
• Port - Enter a regular expression to match one or more port numbers. Leave the field blank to match URLs that contain any port.
• File - Specify the file portion of the URL for the rule to match. Query strings are ignored. You can enter a regular expression to match the required range of URL files. Leave the file field blank to match URLs that contain any file.

The easiest way to create an advanced URL-matching rule is to copy the relevant URL:

1. Copy the URL from a browser or a file.
2. Go to Target > Scope.
3. Click Paste URL in Include in scope or Exclude from scope.

This creates a rule that matches the URL and any other addresses that have the URL as a prefix: Burp places a wildcard at the end of the file expression. To fine-tune the URL-matching, click Edit.

To load a list of items from a text file, click Load. Make sure that each item in the list is either a URL or a hostname. Burp creates a rule for each item.