Getting Started With Burp Scanner
Burp Scanner is a tool for performing automated vulnerability scans of
web applications. You can use Burp Scanner alongside your manual testing
methodology to quickly identify many types of common vulnerabilities,
leaving you to focus on issues that require human intelligence and ingenuity
Burp Scanner is designed to fit into Burp's
user-driven workflow, and the
help documentation explains in detail how the Scanner works and how you can
use it effectively to support your testing. However, if you are not
intending to use Burp in this way, and just want to carry out a quick and
easy scan of your application, please refer to
Using Burp as a Point-and-Click Scanner,
but this type of usage is not recommended.
Note: Using Burp Scanner may result in unexpected
effects in some applications. Until you are fully familiar with its
functionality and settings, you should only use Burp Scanner against
To start getting to know Burp Scanner, carry out the following steps:
- First, ensure that Burp is
installed and running,
and that you have configured
your browser to work with Burp.
- If you have not done so already, browse around some of your target
application, to populate Burp's Target site map with details of the
application's contents and functionality. Before doing so, to speed
things up, go to the Proxy tab, then the Intercept sub-tab, and turn off
Proxy interception (if the button says "Intercept is on" then click it
to toggle the interception status to off).
- As you browse, by default Burp Scanner performs passive scanning of
all requests and responses passing through the Proxy. Passive scanning
involves analyzing these HTTP messages for evidence of certain types of
vulnerabilities, and does not send any additional requests to the
server. Go to the Scanner tab, and the Results sub-tab, and review any
passive issues that Burp has reported for the applications you have
- To find many other types of vulnerabilities, Burp performs active
scanning, and this does involve sending additional requests to the
application to probe for vulnerabilities. You should only perform active
scanning against systems that you are authorized to test in this way.
Only proceed to the following steps if you have a suitable target
application that you are authorized to scan.
- Go to the Proxy history, and find an interesting-looking request to
your target application, containing a number of parameters. Select this
single request, and choose "Do an active scan" from the context menu.
Unless you have already configured your target scope, Burp will prompt
you to confirm. Assuming the request is one you are willing to scan,
- Go to the Scanner tab, and the Scan queue sub-tab. The item you sent
for scanning now appears in the scan queue, showing key details about
the item, and Burp's progress in scanning it. You can double-click the
item to view any issues that Burp has identified, and also review the
base request and response (this is the original request that you sent to
be scanned, and its associated response). Any issues identified will
also be consolidated and added to the main Scanner Results tab.
- Go to the Target site map, and in the tree view select a small
branch that you are willing to scan, containing more than one URL.
Select "Actively scan this branch" from the context menu. Burp will show
a wizard that lets you fine-tune your selection, by removing specific
items or all items with certain characteristics. For the moment, click
through the wizard. Again, if the items are out of scope, Burp may ask
you to confirm the action.
- Go back to the Scan queue tab, and note that all of the items you
selected have been added to the queue and are in the process of being
scanned. Depending on the number of items and their characteristics,
this scanning may take a while.
- If you have not already done so,
define the target scope for the application you are testing. The
simplest way to do this is to select the branch of the site map that
contains the application, and choose "Add to scope" from the context
menu. Do this with caution, because items added to the scope will be
automatically scanned in later steps of this help.
- Go to the Scanner tab, and the Live scanning sub-tab. In the "Live
Active Scanning" section, select "Use suite scope". This configuration
will cause the Scanner to automatically perform active scanning of
in-scope requests that pass through Burp Proxy as you browse.
- Go to your browser, and continue browsing the application, making a
few more requests. Go back to the Scan queue tab, and observe that
additional items are added to the queue as you browse. You can use this
feature to perform automatic scanning of specific application functions,
by using your browser to guide Burp as to what should be scanned.
- Go to the Scanner Results tab, and browse around the results that
have been generated so far. You can select parts of the tree view to see
only the issues for the selected branches, or you can select the whole
tree to see all issues. Note that in the list view, issues of
the same type may be consolidated into a single entry, and you can
expand this entry to see all instances of the issue. Select a specific
instance of an issue, and look at the advisory for that issue. This
contains details of the vulnerability and its remediation (where
relevant) and is fully customized with details of the behavior that was
observed in the target application. You can also review the request and
response upon which each reported issue was based, with particular parts
of these HTTP messages highlighted where relevant.
- View the request that is reported for an individual issue, and open
the context menu. Choose "Send to Repeater", and go to the Repeater tab.
You will see the selected request has been copied into the
Repeater tool, for further testing.
For more details on sending items between Burp tools, and the overall
testing workflow, see Using Burp Suite.
- Go back to the Scanner Results tab. Burp automatically assigns each
scan issue a rating for severity and confidence. The severity rating
reflects the impact that this type of issue typically has. The
confidence rating reflects how confident Burp is that the reported issue
is genuine, based on the technique Burp used to detect the issue and the
strength of the observed evidence. You can use the context menu on
selected issues to manually reassign the severity and confidence
ratings, or to flag issues as false positives.
- In the Results tab, select the host for your target
application, and choose "Report selected issues" from the context menu.
This opens a reporting wizard that lets you configure various aspects of
the report. Complete the reporting wizard and view the saved report.
Use the links below for further help on starting to use Burp Scanner:
Thursday, March 12, 2015
This release contains various bugfixes and minor enhancements, including:
- In the site map table, the "Method" column previously always showed GET for requests without a body, and POST for requests with a body, even if the actual method was different. This bug has now been fixed and the table shows the correct method.
- A bug which prevented client SSL certificates from being used when an upstream proxy is configured has been fixed.
- A bug which caused Decoder to fail to decode hex number HTML entities containing an upper-case X has been fixed.
See all release notes ›