Burp Scanner is a tool for automatically finding security vulnerabilities in web applications. It is designed to be used by security testers, and to fit in closely with your existing techniques and methodologies for performing manual and semi-automated penetration tests of web applications.
Note: Using Burp Scanner may result in unexpected effects in some applications. Until you are fully familiar with its functionality and settings, you should only use Burp Scanner against non-production systems.
With most web scanners, you provide a start URL for the application, click "Go", and watch a progress bar update until the scan is finished and a report is produced. This scanning model has significant limitations, which lead to incomplete coverage, missed vulnerabilities, and misdirected effort. (The most notable problems are: crawler limitations due to changing client-side technologies, inability to interoperate with the complex stateful nature of today's applications, failure to supply suitable input to complete multi-stage processes, problems working with authentication and session handling mechanisms, and many others.)
Now, if you really want to use Burp like a conventional scanner, with all the limitations that this involves, please refer to Using Burp as a Point-and-Click Scanner, but this isn't recommended.
Burp's preferred approach to scanning employs a different, user-driven paradigm. This gives you fine-grained control over each request that gets scanned, and direct feedback about the results. This approach helps to avoid many of the technical challenges faced by conventional scanners. You can guide the scanner using your browser to ensure that no key areas of functionality are missed. You can directly scan the actual requests generated by the application, containing data with the correct content and format that the application requires. With full control over what gets scanned, you can avoid dangerous functionality, recognize duplicated functionality, and step through any input validation requirements that a fully automated scanner might struggle with. Furthermore, because you have direct feedback about the scanner's activity, you can ensure that problems with authentication and session handling are avoided and that issues caused by multistage processes and stateful functions are handled properly. By using a scanner in this way, you can cover an important range of vulnerabilities whose detection can be automated. This will free you to look for other types of vulnerabilities that require human intelligence and experience to uncover.
Burp Scanner can operate in a purely passive mode. Here, the Scanner doesn't send any new requests of its own. It merely analyzes the contents of existing requests and responses, and deduces vulnerabilities from those. Many types of security vulnerabilities can be detected using only passive techniques.
By default, Burp carries out passive scanning of all traffic passing through Burp Proxy. After you have configured your target scope, you might want to reconfigure the live passive scanning settings, so that only in-scope items are passively scanned. This will prevent the Issues view from accumulating passive scan issues for targets you are not interested in.
In the active scanning mode, Burp sends various crafted requests to the application, and analyzes the resulting responses looking for evidence of vulnerabilities. Active Scanning is capable of identifying a much wider range of vulnerabilities, and is essential when performing a comprehensive test of an application.
You can initiate scans in two different ways:
In a typical test, you might want to combine these methods for different parts of the application. For example:
Note: As a general rule, scanning whole branches of the site map is most suitable for discrete application functions that do not involve multi-stage processes, complex state, or session handling. Where these features are present, manual scanning of individual requests or carefully targeted live scanning is generally more effective.
Items that are sent for active scanning are added to the active scan queue, which displays the status of each item and the number of issues found. You can monitor the progress of your scanning, and use the context menu to cancel or re-prioritize individual items. Based on the performance of your scanning, you can also choose to modify various settings, including the configuration of the scan engine and scan insertion points.
Burp's user-driven approach to vulnerability scanning brings a number of benefits to the penetration tester:
By controlling exactly what gets scanned, and by monitoring in real time both the scan results and the wider effects on the application, Burp Scanner lets you combine the virtues of reliable automation with intuitive human intelligence, often with devastating results.
All results generated by Burp Scanner are shown in the Target site map. Find the Issues view (which may be shown within a sub-tab, or side-by-side with the Contents view, depending on your configuration). The results for each individual request that was actively scanned can also be viewed by double-clicking items in the active scan queue.
Each scan result contains a detailed advisory, often with customized details relevant to the specific vulnerability and appropriate remediation. Each result also includes the full requests and responses that were the basis for reporting the issue, with relevant portions highlighted. You can pass these requests to other Burp tools in the usual way, to verify issues or carry out further tests.
You can generate formal scan reports of your findings, in HTML or XML formats. To generate a report, select the required issues in the Issues view of the site map, and choose "Report selected issues" from the context menu. A reporting wizard will run letting you configure various details of the report.
Get help and join the community discussions at the Burp Suite Support Center.
This release updates the Scanner to find super-blind OS command injection vulnerabilities. The Scanner now makes use of Burp Collaborator to find OS command injection vulnerabilities where it is not possible to observe any time delay or command output in responses.