The scanner behind Burp Suite's popularity has more to it than most. Burp Scanner uses PortSwigger's world-leading research to help its users find a wide range of vulnerabilities in web applications, automatically.
For years, Burp Suite has been the gold standard among security professionals. These experts recognize that Burp Scanner improves their work - by finding bugs they'd otherwise miss. Now, Burp Suite Enterprise Edition enables everyone to deploy Burp Scanner at scale.
Professionals trust Burp Scanner because they know it's based on our groundbreaking research. PortSwigger constantly pushes the boundaries of what's possible. Burp Scanner's users are protected from many new vulnerabilities before hackers are even aware they exist - quite simply because we discovered them.
Burp Scanner is well-known for shaking up security automation. Capabilities like automated OAST scanning have pioneered new paradigms in the field. Consequently, Burp Scanner is capable of finding vulnerabilities many other scanners would miss. These include asynchronous SQL injection and blind SSRF.
It's common for scanners to rely on a single methodology for application security testing - but this is far from ideal. Instead, Burp Scanner draws from a varied arsenal of techniques to produce a more comprehensive picture. This combined approach maximizes coverage while producing minimal false positives.
Some of the methods used by Burp Scanner include:
By sending payloads and monitoring an application's resultant behavior, DAST testing simulates a real world attack. This is the classic "black box" testing method.
Burp Collaborator (included) uses an external server to detect out-of-band vulnerabilities missed by conventional DAST. Pioneered by PortSwigger.
If desired, Burp Infiltrator (included) can instrument a target (Java or .NET). This allows internal monitoring during a scan - and can pinpoint vulnerable lines of code.
By combining methodologies, Burp Scanner gains a wider, more reliable view of its target's vulnerabilities. In today's world, an increasing amount of business logic is implemented on the client-side - often composed dynamically at runtime. Burp Scanner's client-side scanning capabilities therefore give it yet another edge over conventional server-side SAST.
Burp Suite's creator - and industry pioneer - Dafydd Stuttard, wrote the book that educated a generation of pentesters. Since then, our software has become synonymous with security expertise. This is the foundation that has helped Burp Scanner become the most widely used scanner of its type. Burp Suite Enterprise Edition makes this expertise available to everyone.