LabEx
Log InJoin Free

Define a Target Scope in Burp Suite

Beginner
Practice Now

Introduction

In this lab, you will learn the essential skill of defining a target scope in Burp Suite. Burp Suite is a powerful proxy tool used for web application security testing. Defining a scope is a critical first step in any engagement because it instructs Burp Suite which targets are part of your test. This helps you focus your attention, filter out irrelevant traffic, and, most importantly, prevent you from accidentally testing systems that are not part of your authorized engagement.

By the end of this lab, you will be able to add a target application to your scope and use the scope filter to view only relevant traffic.

Browse to a Target Application to Populate the Site Map

In this step, you will launch Burp Suite and its embedded browser. You will then navigate to a target website to generate traffic. This traffic will be intercepted by Burp's proxy, which will automatically build a map of the target application's structure.

First, let's launch Burp Suite.

  1. Click on the Applications menu in the top-left corner of the screen.
  2. Navigate to Other and click on Burp Suite Community Edition.
  3. A dialog box will appear. Select Temporary project and click Next.
  4. Another dialog will ask about project configuration. Select Use Burp defaults and click Start Burp.

Once Burp Suite has loaded, you need to open its pre-configured browser to ensure traffic is correctly proxied.

  1. In the Burp Suite window, go to the Proxy tab, and then the Intercept sub-tab.
  2. Click the Open Browser button. A new Chromium browser window will open.
  3. In the address bar of this new browser, type the following URL and press Enter:
https://ginandjuice.shop

As you browse the site, Burp Suite silently records all the requests and responses in the background. You can now close the browser window.

Right-Click the Target Host in the Site Map

In this step, you will navigate to Burp Suite's Site map to find the host you just visited. The Site map provides a hierarchical view of all the content that Burp has discovered.

  1. Return to the main Burp Suite window.
  2. Click on the Target tab. By default, it will open to the Site map sub-tab.
  3. In the left-hand pane, you will see a tree structure of the sites you have visited. Find and expand the entry for https://ginandjuice.shop.
  4. Right-click on the top-level entry for https://ginandjuice.shop. This will open a context-sensitive menu with many different options for interacting with this target.

This context menu is central to using Burp Suite, as it provides quick access to all of its powerful tools.

Select 'Add to scope' from the Context Menu

In this step, you will use the context menu to officially define the target host as "in-scope".

  1. With the context menu still open from the previous step, locate and click on the option Add to scope.
  2. A dialog box will appear with the message: "Burp's proxy is configured to drop all out-of-scope requests. Do you want to stop sending out-of-scope items to the History and other Burp tools?".
  3. Click Yes.

By clicking "Yes", you are telling Burp to automatically filter out noise from other websites. This is a highly recommended practice that keeps your project clean and focused only on the target application. The host ginandjuice.shop is now considered part of your testing scope.

View the New Rule in the Target > Scope Tab

In this step, you will verify that your scope has been configured correctly by checking the Scope settings tab.

  1. In the Burp Suite window, stay within the Target tab.
  2. Click on the Scope sub-tab, located next to the Site map sub-tab.
  3. You will see two main sections: Include in scope and Exclude from scope.
  4. Under the Include in scope section, you should now see a rule for the host you just added. It will look similar to this:
Host or IP range: ginandjuice.shop
Protocol: Any
Port: 443
File: .*

This rule tells Burp that any request to the host ginandjuice.shop over port 443 (HTTPS) is considered in-scope. The File field uses a regular expression (.*) to match any path on the server. You can add more complex rules here, but this simple host-based rule is the most common starting point.

Use the Proxy History Filter to Show Only In-Scope Items

In this step, you will see the practical benefit of defining a scope by filtering the Proxy history log. The history log contains every HTTP request that has passed through Burp's proxy, which can become very noisy.

  1. Navigate to the Proxy tab, and then click the HTTP history sub-tab.
  2. You may see requests to various domains, not just your target.
  3. At the top of the history table, there is a filter bar. It might say "Filter: Showing all items". Click on this bar.
  4. A filter configuration panel will appear. Find the section named Filter by scope.
  5. Check the box labeled Show only in-scope items.
  6. Click anywhere outside the filter panel to apply the changes.

The HTTP history table will now update, and you will only see requests made to https://ginandjuice.shop. All other traffic is hidden from view, making it much easier to analyze the requests relevant to your test.

Summary

Congratulations on completing this lab!

You have learned how to perform one of the most fundamental and important configuration steps in Burp Suite: defining a target scope. You successfully launched Burp, browsed a target application to populate the site map, added the target to your scope, and used the scope filter to hide irrelevant traffic in your proxy history.

This skill is essential for maintaining focus, organizing your testing workflow, and ensuring you operate safely and professionally within the authorized boundaries of a penetration test.