The Results tab contains all of the issues that the Scanner has identified,
from both active and
There is a tree view showing a hierarchical representation of application
content where issues have been found, with URLs broken down into domains,
directories, and files. If you select one or more parts of the tree, all of
the scan issues for the selected items are listed, with issues of the same
type grouped together. You can expand these aggregated issues to view all of
the individual issues of each type.
If you select an issue, the relevant details are displayed, including:
- A customized vulnerability advisory containing:
- A standard description of the issue type and its remediation.
- A description of any specific features that apply to the issue
and affect its remediation.
- The full requests and responses that
were the basis for reporting the issue. Where applicable, the parts of
the request and response that are relevant to identifying and
reproducing the issue are highlighted in the request and response
Often, the fastest way to reproduce and verify an issue is to use the context
menu on the message editor to send the request to Burp Repeater. Alternatively, for GET
requests, you can copy the URL and paste it into your browser. Then you can
reissue the request, and if necessary fine tune the proof-of-concept attack that
was generated by Burp.
Every issue that Burp Scanner reports is given a rating both for severity
(high, medium, low, informational) and for confidence (certain, firm, tentative).
When an issue has been identified using a technique that is inherently less
reliable (such as for blind SQL injection), Burp makes
you aware of this, by dropping the confidence level to less than certain. These
ratings should always be interpreted as indicative, and you should review
them based on your knowledge of the application's functionality and business
The issue listing has a context menu that you can use to perform the
- Report selected issues - This starts Burp Scanner's
reporting wizard, to generate a
formal report of the selected issues.
- Set severity - This lets you reassign the severity
level of the issue. You can set the severity to high, medium, low, or
informational. You can also flag the issue as a false positive.
- Set confidence - This lets you reassign the
confidence level of the issue. You can set the confidence to certain,
firm or tentative.
- Delete selected issues - This deletes the selected
issues. Note that if you delete an issue, and Burp rediscovers the same issue (for
example, if you rescan the same request), then the issue will be reported again.
If instead you mark the issue as a false positive, then this will not happen.
Therefore, deletion of issues is best used for cleaning up the scan results to remove hosts or paths you are not interested in. For unwanted issues within
the functionality you are still working on, you should use the false positive
Thursday, March 12, 2015
This release contains various bugfixes and minor enhancements, including:
- In the site map table, the "Method" column previously always showed GET for requests without a body, and POST for requests with a body, even if the actual method was different. This bug has now been fixed and the table shows the correct method.
- A bug which prevented client SSL certificates from being used when an upstream proxy is configured has been fixed.
- A bug which caused Decoder to fail to decode hex number HTML entities containing an upper-case X has been fixed.
See all release notes ›