login

Burp Suite, the leading toolkit for web application security testing

Initiating Scans

You can initiate scans against your target application in two different ways:

Manual Scanning

From anywhere within Burp, you can select one or more HTTP requests or URLs, and send these to the Scanner to perform scans. Some examples of using this technique are as follows:

Active Scanning Wizard

If you select multiple items and send these for active scanning, Burp launches a brief wizard that lets you fine-tune your selection. This enables you to quickly select large branches of the site map, which typically contain some items that you don't need to scan, and then remove the unnecessary items in the scan wizard.

The wizard lets you choose whether to remove items with various features:

For each item, Burp shows the number of affected items where this is known. If some items have not yet been requested, then Burp will need to request these before determining which of them have media responses. If any option would result in none or all of the items being removed, then this option will be unavailable.

The wizard then displays the full list of items that will be scanned. You can double-click any item in the list to view full request and response details. You can manually remove any further items that you do not wish to scan.

The wizard then completes and the selected items are sent for scanning in the usual way.

Live Scanning

Live scanning allows you to determine what gets scanned by stepping through the target application using your browser, via Burp Proxy. You can configure separate settings for live active scanning and live passive scanning.

Live Active Scanning

To perform live active scanning, carry out the following steps:

Note: Live active scanning ignores requests for media resources (images, etc.) where the request does not contain any non-cookie parameters. Requests like these are virtually always for static resources that do not have any security significance, and so can be safely ignored by the Scanner. (This does not apply to manual scanning - if you manually select send these items for active scanning, then they will of course be scanned in the normal way.)

Click here to read about all ways of initiating scans.

Live Passive Scanning

To perform live passive scanning, carry out the following steps:

Click here to read about all ways of initiating scans.

User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Monday, July 28, 2014

v1.6.03

This release includes a new engine for static analysis of JavaScript code. This enables Burp Scanner to report a range of new vulnerabilities, including DOM-based XSS, JavaScript injection, Client-side SQL injection and several other vulnerability types.

See all release notes ›

Copyright © 2014 PortSwigger Ltd. All rights reserved.