I have a local page that I use to test for LFI attacks, when I used to run active scan against this page in Burp 1.7.37, I get the attack detected by different extensions, e.g. J2EEScan.
I tried to scan the same page in Burp 2.20beta with the extension-only audit. However, I got no results and by checking the logs I don't see any of the extension packets, only maybe Active Scan++ but no J2EEScan nor Scan Check Builder packets.
I used the jar file for Burp2.20beta. Would you have an idea why such an issue took place and if there is a way to get extension-only audit to work with the above mentioned extensions?
↧