Different modes for scan speed, allowing fast, normal, and thorough scans to be carried out for different purposes.
Scan exactly what you want. You can perform a full crawl and scan of an entire host, or a particular branch of the site content, or an individual URL.
Support for numerous types of attack insertion points within requests, including parameters, cookies, HTTP headers, parameter names, and the URL file path.
Support for nested insertion points allowing automatic testing of custom application data formats, such as JSON inside Base64 inside a URL-encoded parameter.
Burp’s advanced application-aware crawler can be used to map out application contents, prior to automated scanning or manual testing.
Use fine-grained scope-based configuration to control exactly what hosts and URLs are to be included in the crawl or scan.
Automatic detection of custom not-found responses, to reduce false positives during crawling.
Advanced scanning for manual testers
View real-time feedback of all actions being performed during scanning. The active scan queue shows the progress of each item that is queued for scanning. The issue activity log shows a sequential record of all issues as they are added or updated.
Use the active scanning mode to interactively test for vulnerabilities like OS command injection and file path traversal.
Use the passive scanning mode to identify flaws such as information disclosure, insecure use of SSL, and cross-domain exposure.
You can place manual insertion points at arbitrary locations within requests, to inform the Scanner about non-standard inputs and data formats.
Burp Scanner can automatically move parameters between different locations, such as URL parameters and cookies, to help evade web application firewalls and other defenses.
You can fully control what gets scanned using live scanning as you browse. Each time you make a new request that is within your defined target scope, Burp automatically schedules the request for active scanning.
Burp can optionally report all reflected and stored inputs, even where no vulnerability has been confirmed, to facilitate manual testing for issues like cross-site scripting.
Different modes for scan accuracy, to optionally favor more false positives or negatives.
Cutting-edge scanning logic
Burp Scanner is designed by industry-leading penetration testers. Its advanced feedback-driven scanning logic is designed to reproduce the actions of a skilled human tester.
Advanced crawling capabilities (including coverage of the latest web technologies such as REST, JSON, AJAX and SOAP), combined with its cutting-edge scanning engine, allow Burp to achieve greater scan coverage and vulnerability detection than other fully automated web scanners.
Burp has pioneered the use of highly innovative out-of-band techniques to augment the conventional scanning model. The Burp Collaborator technology allows Burp to detect server-side vulnerabilities that are completely invisible in the application’s external behavior, and even to report vulnerabilities that are triggered asynchronously after scanning has completed.
The Burp Infiltrator technology can be used to perform interactive application security testing (IAST) by instrumenting target applications to give real-time feedback to Burp Scanner when its payloads reach dangerous APIs within the application.
Burp’s scanning logic is continually updated with enhancements to ensure it can find the latest vulnerabilities and new edge cases of existing vulnerabilities. In recent years, Burp has been the first scanner to detect novel vulnerabilities pioneered by the Burp research team, including template injection and path-relative stylesheet imports.
Clear and detailed presentation of vulnerabilities
The target site map shows all of the content that has been discovered in sites being tested. Content is presented in a tree view that corresponds to the sites’ URL structure. Selecting branches or nodes within the tree shows a listing of individual items, with full details including requests and responses where available.
The site map also shows the vulnerabilities that have been identified. Icons in the site tree allow vulnerable areas of the target to be quickly identified and explored.
Vulnerabilities are rated for severity and confidence to help decision makers focus quickly on the most significant issues.
All reported vulnerabilities contain detailed custom advisories. These include a full description of the issue, and step-by-step remediation advice. Advisory wording is dynamically generated for each individual issue, with any special features or remediation points accurately described.
Each reported vulnerability includes full information about the evidence on which it is based. This includes HTTP requests and responses with relevant features highlighted, and any out-of-band interactions with Burp Collaborator. The reported evidence enables developers to quickly understand the nature of each vulnerability, and the location within the application where a fix needs to be applied.
You can export beautifully formatted HTML reports of discovered vulnerabilities. The level and type of details included in the report can be customized for different audiences.
Intercept browser traffic using man-in-the-middle proxy
Burp Proxy allows manual testers to intercept all requests and responses between the browser and the target application, even when HTTPS is being used.
You can view, edit or drop individual messages to manipulate the server-side or client-side components of the application.
The Proxy history records full details of all requests and responses passing through the Proxy.
You can annotate individual items with comments and colored highlights, letting you mark interesting items for manual follow-up later.
You can use match and replace rules to automatically apply custom modifications to requests and responses passing through the Proxy. You can create rules that operate on message headers and body, request parameters, or the URL file path.
Burp helps eliminate browser security warnings that can occur when intercepting HTTPS connections. On installation, Burp generates a unique CA certificate that you can install in your browser. Host certificates are then generated for each domain that you visit, signed by the trusted CA certificate.
Burp supports invisible proxying for non-proxy-aware clients, enabling the testing of non-standard user agents such as thick client applications and some mobile applications.
HTML5 WebSockets messages are intercepted and logged to a separate history, in the same way as regular HTTP messages.
You can configure fine-grained interception rules that control precisely which messages are intercepted, letting you focus on the most interesting interactions.
Automate custom attacks using Burp Intruder
Burp Intruder is an advanced tool for automating custom attacks against applications. It can be used for numerous purposes to improve the speed and accuracy of manual testing.
Common use cases are fuzzing for vulnerabilities, enumerating valid identifiers, extracting interesting data, and actively exploiting discovered vulnerabilities.
You can place payloads in arbitrary positions with requests, allowing payloads to be placed within custom data structures and protocols.
Multiple simultaneous payloads of different types can be placed into different positions within the same request, and can be combined in various ways.
There are numerous built-in payload generators that can automatically create payloads for virtually any purpose in a highly configurable way. Payload generators include numbers, dates, brute forcer, bit flipper, username generator, ECB block shuffler, illegal Unicode, and case modification. Burp extensions can also provide completely custom payload generators via the API.
There are built-in wordlists for numerous common purposes, including directory and file names, common field names and values, fuzz strings, HTTP verbs and user agents. You can also easily configure a custom repository of wordlists for direct use within Intruder payloads.
Payload processing rules can be defined to manipulate generated payloads in arbitrary ways, to meet the exact needs of the custom attack being performed. Payload processing rules include the addition of a prefix or suffix, match and replace, substring, encoding or decoding in various schemes, or skipping payloads that match a regular expression. Burp extensions can also provide completely custom payload processing rules via the API.
Intruder attacks can be configured to automatically grep for custom match strings in responses. This function can be used for numerous purposes, including looking for error messages during fuzzing, confirming valid identifiers during enumeration tasks, and flagging successful exploitation of discovered vulnerabilities.
Burp Intruder can extract custom data items from responses. For example, you can cycle through a range of page identifiers and extract the title of each returned page, or iterate over all valid user IDs and extract the name and group of each user.
Intruder captures detailed attack results, with all relevant information about each request and response clearly presented in table form. Captured data includes the payload values and positions, HTTP status code, response timers, cookies, number of redirections, and the results of any configured grep or data extraction settings.
Advanced manual testing tools
All requests and responses are displayed in a feature-rich HTTP message editor. This provides numerous views into the underlying message to assist in analyzing and modifying its contents.
Individual requests and responses can be easily sent between Burp tools to support all kinds of manual testing workflows.
The Repeater tool lets you manually edit and reissue individual requests, with a full history of requests and responses.
The Sequencer tool is used for statistical analysis of session tokens using standard cryptographic tests for randomness.
You can record macros for repeating common sequences of requests, for use within the session handling mechanism.
You can create custom session handling rules to deal with particular situations. Session handling rules can automatically log in, detect and recover invalid sessions, and fetch valid CSRF tokens.
The powerful Burp Extender API allows extensions to customize Burp’s behavior and integrate with other tools. Common use cases for Burp extensions include modifying HTTP requests and responses on the fly, customizing the Burp UI, adding custom Scanner checks, and accessing key runtime information including crawl and scan results.