Just as we can add items to scope in Burp, we can also add items that need to be explicitly set out of scope. This, as is the case with in-scope items, can be added via two methods. The first is via the Proxy
| History
tab from the right-click context menu:
The second is from the Target scope
tab in the Exclude from scope
section. For example, if you want to exclude all sub-directories and files under /javascript
, then the following options can be applied:
Protocol
:HTTP
Host or IP range
:mutillidae-testing.cxm
Port
:^80$
File
:^/javascript/.*
This will exclude all URLs under the /javascript/
directory on port 80
with the HTTP protocol.
You can also load a file containing a list of URLs that need to be excluded from scope via the Load
button on the Target
| Scope
page. This list must be URLs/targets separated by newlines.
Both the Include in scope
option and Exclude from scope
option are case insensitive. /javascript/
, /JavaScript/
, and /jAvAscrIPt/
all mean the same for the Target
| Scope
feature of Burp.