Scope inclusion versus exclusion

The target scope works on URL patterns. URL patterns can either be inclusive or exclusive. An inclusive pattern will allow all URLs matching the pattern to go through. An exclusive pattern will disallow all URLs matching the pattern from proceeding further. To match the scope, Burp Suite matches URLs to the patterns defined in the included list first. This allows us to add targets easily in scope. Once a target URL pattern is matched, it is checked against in the exclusion list. This is done to ensure that we don't inadvertently trigger critical functionality. For example, if we want to attack everything and not get logged out, we can exclude the Logout page. If some functionality triggers automated e-mails to thousands of users, we don't want to annoy the users by sending e-mails while testing by mistake. We should explicitly put the mentioned URLs in the exclusion list.

Spending some quality time figuring out the scope, adding the required target URLs, and ensuring that our inclusion and exclusion lists will ensure, will save us a lot of time and effort while using the other tools of the Suite. This might also be mandatory based on the testing activity we are planning to do. I highly recommend you to get comfortable using Target Scope.