Are you tired of manually setting up the Scope of a Burp Suite project, every time you start a new pentesting project? Are you afraid you may have missed a host in your whitelist config? This article will show you how to effectively filter unwanted hosts in Burp, while ensuring that unknown or new hosts are not discarded prematurely.

Setting up Advanced Scope Control

To begin with our setup, open up a new, temporary Burp project and go to the Target > Scope section. Tick the checkbox "Use advanced scope control".

Afterwards we want to configure a general wildcard whitelist. To do so, go to "Include in scope" and click on "add", then without entering any values, click "ok":

On the next prompt, we select "yes" to enable out of scope items from being logged to history and other Burp tools:

Optional: Setup Firefox Background Request Filter

If you are using Firefox alongside Burp, you will have noticed that Firefox performs several background requests, e.g., to "http://detectportal.firefox.com/". If you want to get rid of these hosts from your scope view, I suggest adding the following two entries under "Exclude from scope":

.*\.firefox\.com$
.*\.mozilla\.org$

Setting up the SiteMap and HTTP History Views

In the Target > SiteMap view we now click on "Show all", then click the checkboxes "Show only in-scope items", "Show only requested items" and "Hide empty folders". Then we hit "Apply & close":

Then we go to the Proxy > HTTP History view. Here we also click on "Show all", then click the checkbox "Show only in-scope items". Afterwards we confirm with "Apply & close":

Final Steps

After this setup, we can conveniently right click on any target that we want to exclude from the scope and have this filter automatically take effect on all traffic views:

At the same time, any new hosts will still remain in-scope and not be filtered away automatically. This has the big advantage over a classical scope whitelist approach that unknown hosts are not overlooked during testing.

Saving the Configuration

After performing the above setup, we can save this configuration as a custom Burp config file. To do so we save the project settings to a new file via:

Then, whenever we create a new project in Burp, we can load this project setting configuration in the second wizard window:

This results in the previously configured behavior automatically being loaded into the new project. This includes filters for all views we configured, as well as the advanced target scope settings.

Bonus: Download the Project Config File

If you want to skip the manual configuration above, I provide you with the configuration file as a download.