The target scope works on URL patterns. URL patterns can either be inclusive or exclusive. An inclusive pattern will allow all URLs matching the pattern to go through. An exclusive pattern will disallow all URLs matching the pattern from proceeding further. To match the scope, Burp Suite matches URLs to the patterns defined in the included list first. This allows us to add targets easily in scope. Once a target URL pattern is matched, it is checked against in the exclusion list. This is done to ensure that we don't inadvertently trigger critical functionality. For example, if we want to attack everything and not get logged out, we can exclude the Logout page. If some functionality triggers automated e-mails to ...