Working with target exclusions

Just as we can add items to scope in Burp, we can also add items that need to be explicitly set out of scope. This, as is the case with in-scope items, can be added via two methods. The first is via the Proxy | History tab from the right-click context menu:

The second is from the Target scope tab in the Exclude from scope section. For example, if you want to exclude all sub-directories and files under /javascript, then the following options can be applied:

• Protocol: HTTP
• Host or IP range: mutillidae-testing.cxm
• Port: ^80$
• File: ^/javascript/.*

This will exclude all URLs under the /javascript/ directory on port 80 with the HTTP protocol.

You can also load a file containing a list of URLs that need to be excluded from scope via the Load button on the Target | Scope page. This list must be URLs/targets separated by newlines.

Both the Include in scope option and Exclude from scope option are case insensitive. /javascript/, /JavaScript/, and /jAvAscrIPt/ all mean the same for the Target | Scope feature of Burp.