Burp Suite documentation - contents

  • Last updated: March 24, 2023

  • Read time: 23 Minutes

Desktop editions
     Getting started
          Download and install
          Intercepting HTTP traffic with Burp Proxy
               Intercepting a request
          Modifying requests in Burp Proxy
               Step 1: Access the vulnerable website in Burp's browser
               Step 2: Log in to your shopping account
               Step 3: Find something to buy
               Step 4: Study the add to cart function
               Step 5: Modify the request
               Step 6: Exploit the vulnerability
          Setting the target scope
          Reissuing requests with Burp Repeater
               Sending a request to Burp Repeater
               Testing different input with Burp Repeater
          Running your first scan
               Scanning a website
          Generating a report
          What next?
               Continue your Burp Suite journey
          Activate license
               Manual activation
          Launch from the command line
               Checking your Java version
               Launching the Burp Suite JAR
               Command line arguments
          Mac installer
          System requirements
               CPU cores / memory
               Free disk space
               Operating system and architecture
               Useful resources for extension developers
               Handling kettled HTTP/2 requests in extensions
               BApp Store acceptance criteria
               Submitting extensions to the BApp Store
                    Step 1 - Check the acceptance criteria
                    Step 2 - Submit your extension
                    Step 3 - We review your extension
                    Updating your BApp
               Extender API examples (Legacy)
          Installing extensions
               Installing extensions from the BApp Store
                    Installing Jython or JRuby
               Installing an extension from a file
          Managing extensions
          Monitoring system impact
               Cumulative impact of extensions
     Testing workflow
          Stage 1: Map the target application
          Stage 2: Analyze the attack surface
          Stage 3: Test for vulnerabilities
               Input-based vulnerabilities
               Logic and design flaws
               Access control vulnerabilities
          Other vulnerabilities
          Setting a test scope
               Adding URLs to the scope
               Excluding URLs from the scope
          Mapping the website
               Mapping the visible surface
                    Before you start
               Discovering hidden content
                    Automated discovery
                         Before you start
                    Enumerating subdomains
          Analyzing the attack surface
               Scoping the effort to audit a website
                    Before you start
               Identifying high-risk functionality
                    Before you start
               Identifying supported HTTP methods
                    Before you start
                    Enumerating supported methods for a single endpoint
                    Enumerating supported methods for multiple endpoints
               Checking for hidden inputs
                    Before you start
               Evaluating inputs
                    Before you start
                         Manually evaluating individual inputs
                         Scanning inputs
                         Fuzzing inputs
               Analyzing opaque data
                    Decoding data
                         Investigate opaque data with the Inspector
                         Investigate opaque data with Burp Decoder
                    Identifying which parts of a token impact the response
          Testing authentication mechanisms
               Enumerating usernames
               Guessing passwords with Burp Suite
                    Before you start
          Testing session management mechanisms
               Analyzing session token generation
                    Before you start
               Determining the session timeout
               Generating a CSRF proof-of-concept
               Maintaining an authenticated session
                    Identifying a valid login expression
                    Configuring a session handling rule
                    Checking the session handling rule
     Automated scanning
          Launching scans
               Running a full crawl and audit
                    Step 1: Configure scan details
                    Step 2: Select a scan configuration
                    Step 3: Configure application logins (optional)
                    Step 4: Select a resource pool (optional)
               Scanning specific HTTP messages
                    Configuring the scan
          Setting the scan scope in Burp Suite Professional
               Scan type
               URLs to scan
                    Fragment handling
               Protocol settings
               Items to scan
          Configuring scans
               Using a preset scan mode
               Using a custom configuration
                    Using a configuration from the library
                    Creating a new configuration
                    Importing a configuration
               Combining custom scan configurations in Burp Suite Professional
          Configuring application logins
               Adding usernames and passwords
                    Adding login credentials
                    Editing existing login credentials
                    Login functions
               Adding recorded login sequences in Burp Suite Professional
                    Adding login sequences
                    Editing existing recorded logins
               Managing application logins using the configuration library
          Managing resource pools for scans
               Creating new resource pools
               Reassigning resource pools
          Live tasks
               Types of live task
               Live task scope
               Scan configuration and resource pools
               Creating live tasks
          Viewing scan results
          Audit items
               Audit phase indicators
          Reporting scan results
               Report settings
                    Report format
                    Issue details
                    HTTP messages
                    Selecting issue types
                    Report details
     Project files
          Creating project files
               Opening a project file
          Managing project files
               Saving a copy of a project
                    Saving the Burp Collaborator identifier
               Importing project files
               Recovering corrupted project files
          User and project settings
          Finding settings
          Managing settings
          Settings pages
          Key settings
               Target scope
               Platform-level authentication
               Session handling rules and macros
               Schedule tasks
               HTTP message appearance
               Session handling overview
               Session handling rules
                    Session handling tracer
               Cookie jar
               Session handling rule editor
                    Rule description
                    Rule actions
                         Use cookies from the session handling cookie jar
                         Set a specific cookie or parameter value
                         Check session is valid
                         Make requests to validate session
                         Inspect responses to determine session validity
                         Define behavior dependent on session validity
                    Run a macro to obtain a new valid session
                         Prompt for in-browser session recovery
                         Run a post-request macro
                         Invoke a Burp extension
                         Set a specific header value
                    Tools scope
                    URL scope
                    Parameter scope
                    Record macro
                    Configure item
                         Parameter handling
                         Custom parameter locations in response
                    Re-analyze macro
                    Test macro
               Startup behavior
               Java environment
               Python environment
               Ruby environment
          Configuration library
               Adding a custom configuration
               Configuration files
          Response extraction rules
                    Proxy listeners
                         Request handling
                         TLS Protocols
                    Request and response interception rules
                         Adding an interception rule
                         Modifying intercepted messages
                    WebSocket interception rules
                    Response modification rules
                    Match and replace rules
                         Adding a match and replace rule
                         Matching multi-line regions
                         Using regex groups in back-references and replacement strings
                    TLS pass through
                         Adding TLS passthrough targets
                    Proxy history logging
                    Default Proxy interception state
                    Message modification
                         Follow redirects
                         Process cookies in redirects
                         Use selected protocol for cross-domain redirects
                    Default tab group
                    Tab view
                    Live capture
                    Token handling
                    Token analysis
                    Automatic payload placement
                    New tab configuration
                    Behavior when closing result windows
                    Payload list location
               Burp's browser
                    Browser data
                    Browser running
                    Target scope
                    Out-of-scope request handling
                    Resource pools
                    New task auto-start
                    Automated tasks on startup
                    Schedule tasks
               Automatic backup
                    Platform authentication
                    Upstream proxy servers
                    Hostname resolution overrides
                    SOCKS proxy
                    TLS negotiation
                    Client TLS certificates
                    Server TLS certificates
                    Java TLS settings
                    Allowed redirect types
                    Streaming responses
                    Status 100 response handling
               Inspector and message editor
                    Inspector widgets
                    Default Inspector panel layout
                    Message editor request and response views
                    HTTP message display
                    Character sets
                    HTML rendering
                    HTTP message search
                    Learn tab display
               REST API
                    Enabling the REST API
                    Service URL
                    API key
               Performance feedback
                    Logging exceptions to a local directory
               Temporary files location
     Mobile testing
          Configuring a mobile device
          Configuring an iOS device to work with Burp Suite Professional
               Step 1: Configure the Burp Proxy listener
               Step 2: Configure your device to use the proxy
               Step 3: Install a CA certificate on your iOS device
               Step 4: Test the configuration
          Configuring an Android device to work with Burp Suite Professional
               Step 1: Configure the Burp Proxy listener
               Step 2: Configure your device to use the proxy
               Step 3: Install a CA certificate on your Android device
               Step 4: Test the configuration
          Troubleshooting for mobile devices
               I can't access HTTPS URLs on iOS even after installing Burp's CA certificate
          Background concepts
          Default protocol
          Keeping track of which protocol you're using
          Changing the protocol for a request
          Kettled requests
               What can cause a request to become kettled?
               Unkettling a request
               Kettled requests and extensions
          HTTP/2 settings
               Changing the default protocol
               Repeater options for HTTP/2
          Enforce protocol choice on cross-domain redirections
          Enable HTTP/2 connection reuse
          Strip Connection header over HTTP/2
          Allow HTTP/2 ALPN override
               Disabling HTTP/2 for proxy listeners
          Upcoming enhancements for HTTP/2 in Burp
               Increased support for kettled requests
          HTTP/2 basics for Burp users
               Binary protocol
               Message length
               Header capitalization
               What normalization is performed?
                    Why can't I move the Host header?
               Sending requests without any normalization
          Performing HTTP/2-exclusive attacks
               Injecting newlines into headers
          Video overviews
          Guided tutorials
          Brute-forcing a login with Burp Intruder
               What is a Cluster bomb attack?
               Brute-forcing a login using a Cluster bomb attack
                    Summary and next steps
          Viewing requests sent by Burp extensions using Logger
               Step 1: Send requests using an extension
               Step 2: Go to the Logger tab
               Step 3: Filter the log
               Step 4: View individual requests
          Intercepting HTTP requests and responses
          Augmenting manual testing using Burp Scanner
               Scanning specific requests
               Scanning user-defined insertion points
          Resending individual requests with Burp Repeater
          Scanning a website
          Using live tasks in Burp Suite
          Using Burp Suite projects
          Touring the Burp Suite user interface
          Using Burp Proxy's interception rules
          Testing WebSockets with Burp Suite
          Reducing noise
               Setting a basic target scope
               Using filters
          Testing for reflected XSS with Burp Repeater
               Step 1: Find an interesting request
               Step 2: Send the request to Burp Repeater
               Step 3: Search the response for your reflected input
               Step 4: Identify the injection context
               Step 5: Test for flawed input sanitization
               Step 6: Send an XSS proof of concept
               Read more
          Using match and replace rules
               Step 1: Open the lab
               Step 2: Attempt to access the admin panel
               Step 3: Add a custom match and replace rule
               Step 4: Try to access the admin panel again
               Summary and next steps
          Credential stuffing using Burp Intruder
               What is credential stuffing?
               Step 1: Open the lab
               Step 2: Send a login request to Burp Intruder
               Step 3: Select the attack type
               Step 4: Configure the payload positions
               Step 5: Add the username payloads
               Step 6: Add the password payloads
               Step 7: Start the attack
               Step 8: Analyze the results
               Step 9: Confirm your results
               What next?
          Using Burp Suite project settings
     External browser configuration
          Check proxy listener is active
          Configuring Chrome to work with Burp Suite - Windows
          Configuring Chrome to work with Burp Suite - MacOS
          Check your browser configuration
          Installing Burp's CA certificate
               Installing Burp's CA certificate on a mobile device
               Why do I need to install Burp's CA certificate?
               In-browser interface
                    Removing Burp's CA certificate from Firefox
               Installing Burp's CA certificate in Chrome - Windows
                    Removing the CA certificate from Windows
               Installing Burp's CA certificate in Chrome - Linux
                    Removing the Burp Suite CA certificate
               Installing Burp's CA certificate in Chrome - MacOS
                    Removing the Burp Suite CA certificate
                    Removing Burp's CA certificate from Safari
                    Check that Burp is running
                    Check your proxy listener is active
                    Try a different port
                    What next?
     Troubleshooting performance issues
          Check the minimum system requirements
          Identify potential bottlenecks: CPU, memory, and network
          Optimize CPU usage
               Disabling pretty printing
               Disabling JavaScript analysis
               Configuring your scans for performance
               Narrowing the scope of your scans
               Scanning a single protocol
          Optimize memory usage
               Disabling extensions
               Allocating more memory to the Java machine
               Using a disk-based project
          Optimize network usage
               Reducing concurrent scans
               Configuring resource pools
     Becoming an early adopter
          Task details
          Task execution settings
               Task auto-start
               Resource pools
          Issue activity
               Analyzing the issue activity
          Event log
          Burp's browser
               Manual testing with Burp's browser
               Scanning websites with Burp's browser
               Health check for Burp's browser
          Burp Proxy
               Proxy intercept
                    Message display
               HTTP history
                    Changing the HTTP history layout
                    Viewing a request
                    Filter settings
                         Adding annotations
               WebSockets history
                    Changing the WebSockets history layout
                    Viewing a request
                    Filter settings
                         Adding annotations
               Managing CA certificates
                    Exporting and importing the CA certificate
                    Creating a custom CA certificate
               Invisible proxying
               Working with HTTP messages
                    HTTP Repeater tab
               Sending HTTP requests in sequence
                    Send sequence prerequisites
               Working with WebSocket messages
                    WebSocket Repeater tab
               Managing tabs
                    Tab groups
               Managing tab groups
                    Creating a new tab group
                    Editing existing groups
                    Closing tab groups
               Configuring tab-specific settings
               Getting started
                         Step 1: Access the lab
                         Step 2: Try to log in
                         Step 3: Set the payload positions
                         Step 4: Select an attack type
                         Step 5: Add the payloads
                         Step 6: Start the attack
                         Step 7: Look for any irregular responses
                         Step 8: Study the response
                         What next?
                    Learn more about Burp Intruder
               Configure attack
                         Payload positions field
                              Target field
                         Configuring payload positions
                    Attack types
                         Battering ram
                         Cluster bomb
                    Payload types
                         Payload settings
                         Simple list
                         Runtime file
                         Custom iterator
                         Character substitution
                         Case modification
                         Recursive grep
                         Illegal Unicode
                         Character blocks
                         Brute forcer
                         Null payloads
                         Character frobber
                         Bit flipper
                         Username generator
                         ECB block shuffler
                         Copy other payload
                    Payload lists
                         Using predefined payload lists
                         Configuring processing rules
                         Types of processing rules
                         Configuring payload encoding
                    Resource pools
                         Creating resource pools
                         Resource pool settings
                         Moving tasks between resource pools
                         Save attack
                         Request headers
                         Error handling
                         Attack results
                         Grep - match
                         Grep - extract
                         Grep - payloads
                    Managing tabs
                    Editing attacks
                         Controlling an attack
                         Configuring an attack
                    Saving results
                         Closing attacks
                    Viewing results
                         Viewing a request
                    Analyzing results
                         Sorting results
                         Copying results
                         Filtering results
                         Adding annotations
                         Send to...
                         Show response in browser
                         Request in browser
                         Generate CSRF PoC
                         Add to site map
                         Request item again
                         Define extract grep from response
                         Copy as curl command
                         Add comment
                         Copy links
                         Save item
                    Enumerating identifiers
                         Step 1: Find a request
                         Step 2: Set a payload position
                         Step 3: Set a payload type
                         Step 4: Analyze the results
                         Use cases
                         Step 1: Set the payload positions
                         Step 2: Set the payload type
                         Step 3: Set the match grep
                         Step 4: Analyze the results
                    Harvesting data
                         Step 1: Find a request
                         Step 2: Set a payload position
                         Step 3: Set a payload type
                         Step 4: Set an extract grep
                         Step 5: Analyze the results
                         Use cases
               Site map
                    Tree view
                         Tree view icons
                    Contents pane
                    Requests and responses
                    Issues pane
                         Editing the Issues pane
                    Getting started
                              Step 1: Access the lab
                              Step 2: Go to the site map
                              Step 3: Update the site map
                              Step 4: Filter the displayed information
                              Step 5: Set the target scope using the site map
                    Workflow tools
                         Add to scope / Remove from scope
                         Send to
                         Show response in browser
                         Request in browser
                         Engagement tools
                         Compare site maps
                         Add comment / Highlight
                         Expand / collapse branch / requested items
                         Delete items
                         Copy URLs
                         Copy as curl command
                         Copy links
                         Save items
                         Show new site map window
                    Filtering the site map
                         Site map annotations
                    Comparing site maps
                         Site map sources
                         Request matching
                         Response comparison
                    Comparison results
                         Viewing comparison results
                         Interpreting comparison results
                    Site map layout
                         Contents and issues layout
                         Request and response layout
                         Adding a new site map window
                    URL-matching rules
                         Normal scope control
                         Advanced scope control
               Issue definitions
               Manual Application mapping
               Reviewing unrequested items
               Analyzing the attack surface
               Configuring the Inspector layout
               Request attributes
               Viewing HTTP message data in the Inspector
                    Automatic decoding
               HTTP/2 headers and pseudo-headers
               Selecting a substring
               Getting started with the Inspector
                         Step 1: Access the lab
                         Step 2: Log in to a user account
                         Step 3: Use the Inspector to examine the request
                         Step 4: Use the Inspector to edit the cookie
                         Step 5: Using the selection widget
                    Learn more about the Inspector
               Modifying requests
                    Adding new items to a request
                    Removing items from a request
                    Reordering items in a request
                    Editing the name or value of an item
                    Injecting newlines
                    Injecting other non-printing characters
                    Copying items from the Inspector
          Message editor
               Message analysis toolbar
                    Raw tab
                    Pretty tab
                    Hex tab
                    Render tab
                    Additional tabs
                    Extension-specific tabs
                    Actions menu
               Other ways of using the message editor
               HTTP/2 messages in the message editor
               Context-specific actions
               Text editor
                    Syntax analysis
                    Pretty printing
                    Non-printing characters
                    Text editor hotkeys
                    Quick search
               Generating payloads
               Viewing results
               Getting started
                    Step 1: Access the lab
                    Step 2: Browse the target site
                    Step 3: Send an interesting request to Repeater
                    Step 4: Inject a Collaborator payload into the request
                    Step 5: Poll for interactions
                    What next?
               Getting started with Logger
                    Step 1: Access the lab
                    Step 2: View requests on the Logger tab
                    Step 3: Audit a request with Burp Scanner
                    Step 4: Examine the requests made by Burp Scanner
                    Step 5: Filter the log
                    Step 6: Disable and clear the Logger history
                    Learn more about Logger
               Working with Logger entries
                    Viewing log entries
                    Annotating log entries
                    Logger workflow tools
                    Capture settings
                    View settings
               Task Logger
               Getting started
               Token sample
                    Configuring a live capture of tokens
                         Selecting a token location
                    Manually loading tokens
                    Live capture
                         Overall result
                         Effective entropy
                    Analysis result tabs
                         Individual tests
                         Character set
                         Bit conversion
                    Analysis settings tab
                         How the tests work
                         Character-level tests
                              Character count analysis
                              Character transition analysis
                         Bit-level analysis
                              FIPS test results
                              FIPS monobit test
                              FIPS poker test
                              FIPS runs test
                              FIPS long runs test
                              Spectral tests
                              Correlation test
                              Compression test
          DOM Invader
               Key features
               Enabling DOM Invader
               Testing for DOM XSS
                    Injecting a canary
                         Injecting a canary into multiple sources
                    Identifying controllable sinks
                    Determining the XSS context
                    Studying the client-side code
               Testing for DOM XSS using web messages
                    Enabling web message interception
                    Identifying interesting web messages
                    Automated web message analysis
                    Message details
                         Origin accessed
                         Data accessed
                         Source accessed
                    Replaying web messages
                    Generating a proof of concept
               Testing for client-side prototype pollution
                    Enabling prototype pollution
                    Detecting sources for prototype pollution
                    Manually confirming sources for prototype pollution
                    Scanning for prototype pollution gadgets
                    Generating a proof-of-concept exploit
               Testing for DOM clobbering
                    Enabling DOM clobbering
                         Enable DOM Invader
                         Postmessage interception
                         Customizing sources and sinks
                    Attack types
                         Prototype pollution
                         DOM clobbering
                    Web message settings
                         Postmessage origin spoofing
                         Canary injection into intercepted messages
                         Filter messages with duplicate values
                         Generate automated messages
                         Detect cross-domain leaks
                    Prototype pollution settings
                         Scan for gadgets
                         Auto-scale amount of properties per frame
                         Scan nested properties
                         Query string injection
                         Hash injection
                         JSON injection
                         Verify onload
                         Remove CSP header
                         Remove X-Frame-Options header
                         Scan each technique in separate frame
                         Disabling prototype pollution techniques
                         Message filtering by stack trace
                         Auto-fire events
                         Redirection prevention
                         Add breakpoint before redirect
                         Inject canary into all sources
                         Configuring callbacks
                         Remove Permissions-Policy header
                         Copying the canary
                         Changing the canary
               Setting up Burp Clickbandit
               Running an attack
               Reviewing an attack
               Carrying out comparisons
               Carrying out transformations
          Engagement tools
               Target analyzer
               Content discovery
                    Control tab
                    Config tab
                         File extensions
                         Discovery engine
                    Site map tab
               Generate CSRF PoC
                    CSRF PoC options
               Manual testing simulator
               How Burp Infiltrator works
               Installing Burp Infiltrator
                    Non-interactive installation
               Configuration options
               Text search
               Find comments and scripts
               Find references
Enterprise Edition
     Getting started with Burp Suite Enterprise Edition
     Working with sites
     Working with scans
     Working with scan results
     Configuring Burp Suite Enterprise Edition infrastructure
     Managing users and permissions
     Integrating with other tools
     Extending capabilities
     Troubleshooting in Burp Suite Enterprise Edition
     API documentation
     Getting started
          Additional information
          Preparing to deploy Burp Suite Enterprise Edition
               Decide on your licensing needs
               Choose your deployment type
               Choose your preferred architecture
               Plan your database setup
               Review the system requirements
               Plan your network and firewall setup
               Prepare your organization
          Deployment options
          Prerequisites for a standard installation
               TLS certificate
               Installation location
               System user
               Scanning machine requirements
               Database setup script
          Configuring your environment network and firewall settings
               Configuring a single-machine deployment
               Configuring a multi-system deployment
          Installing Burp Suite Enterprise Edition
               Before installation
               Step 1: Download the installer
               Step 2: Extract and run the installer
               Step 3: Choose an install location
               Step 4: Select the components to install
               Step 5: Specify a logs directory
               Step 6: Specify a data directory
               Step 7: Select a user to run processes
               Step 8: Select database options
               Step 9: Specify a web server port
               Step 10: Specify a database backups directory
               After installation
          Configure the application
               Uploading a TLS certificate
               Configuring database details
               Configuring admin user details
          Activating your license
          What next?
               Complete your network settings
               Add more scanning machines
               Import sites in bulk
               Schedule scans
               Set up your email server
               Add more users
               Set up integrations
               Learn more about working with sites
               Learn more about working with scans
               Learn more about analyzing scan results
          Unattended installation
               Performing an unattended installation with Linux
               Performing an unattended installation with Windows
               Varfile field guide
          Deploying Burp Suite Enterprise Edition to Kubernetes
               Deploying Burp Suite Enterprise Edition from scratch
                    Set up a suitable Kubernetes cluster
                         Using the reference template
                    Install the application
                         Downloading the Helm chart
                         Providing custom values for the Helm chart
                              Note for Oracle users
                         Using the Helm chart
                         Installing using a pre-existing values file
               Migrating from a legacy cloud deployment
                    Set up a suitable Kubernetes cluster
                         Using the reference template
                    Install the application
                         Downloading the Helm chart
                         Providing custom values for the Helm chart
                         Using the Helm chart
                    Configuring TLS
                    Back up your data and stop your old service
                         Stopping your scans
                         Scaling your environment down
                         Creating a new database instance
                    Configuring database details
                         Connecting to your database
                    Activating your license after migration
                    Check the new deployment
                         Decommission your old deployment
                         Next steps with Kubernetes
               Updating Burp Suite Enterprise Edition on Kubernetes
                    Preparing to update
                    Running the update command
               Support scope for Kubernetes deployments
                    PortSwigger Kubernetes support scope
                         Not supported
                    Kubernetes customer responsibilities
          System requirements
               Concurrent scans
               Standard deployments
                    General requirements
                    Supported operating systems
                    Single-machine deployment
                    Multi-machine deployment
                    Container system requirements
                         Minimum requirements for general container limits
                         Minimum requirements for a web server container
                         Minimum requirements for an Enterprise server container
                         Minimum requirements for a scan container
               External database
                    Supported database versions
                    Database hardware requirements
          Setting up the external DB
               Database setup scripts
                    MariaDB / MySQL
                    Microsoft SQL Server
               Authentication mode
               Additional configuration for Microsoft SQL Server
               Database connection URL format
               Troubleshooting for MySQL databases
               Distributing the public key manually
          Trial deployment guide
                    Activating your license
               Run your first scan
               Analyze scan results
     Managing users and permissions
          Role-based access control
               Vertical segregation of permissions
               Horizontal segregation of permissions
          Restricting access to sites
          Managing users
               Viewing users
               Creating a new user
               Creating an API user
               Editing users
               Suspending a user temporarily
               Deleting a user
          Managing groups
               Creating a new group
               Editing a group
               Restricting access to sites
               Deleting a group
          Managing roles
               Creating a new role
               Modifying roles
               Deleting roles
          Enabling single sign-on
               Configuring user permissions
                    Creating groups with SAML
               Configuring SAML single sign-on for Burp Suite Enterprise Edition
                    Configuring SAML SSO with ADFS
                         Step 1: Add Burp Suite Enterprise Edition to your trusted applications
                         Step 2: Obtain key details from ADFS
                         Step 3: Enter the key details in Burp Suite Enterprise Edition
                         Step 4: Configure how groups are managed
                              Create a central claim issuance policy
                         Create claim rules for each group individually
                    Configuring SAML SSO with Azure Active Directory
                         Step 1: Add Burp Suite Enterprise Edition to your trusted applications
                         Step 2: Import key details from Azure AD
                         Step 3: Configure group membership
                    Configuring SAML SSO with Okta
                         Step 1: Add Burp Suite Enterprise Edition to your trusted applications
                         Step 2: Obtain key details from Okta
                         Step 3: Enter the key details in Burp Suite Enterprise Edition
                         Step 4: Configure Okta Group Attribute Statements
                    Configuring single logout
          Configuring SCIM
                    Set a port for the SCIM URL and generate an API token
                    Upload a TLS certificate
                    Configure the connection in Okta
                         Enable SCIM provisioning
                         Enter the connection details
                         Configure the provisioning to app settings
                    Push your Okta users and groups to Burp Suite Enterprise Edition
                    Set a port for the SCIM URL and generate an API token
                    Upload a TLS certificate
                    Configure the connection in OneLogin
                         Enter the connection details
                         Configure the parameters
                    Enable SCIM provisioning
                    Push your OneLogin users to Burp Suite Enterprise Edition
                         Troubleshooting provisioning issues in OneLogin
               Managing SCIM users and groups
                    Assigning permissions to SCIM users
                    Assigning permissions to SCIM groups
                    Removing a SCIM user
          Resetting your admin password
               Resetting your admin password (standard deployments)
               Resetting your admin password (Kubernetes)
          Downloading logs
          Help center
               Support pack
     Working with sites
          Sites section contents
          Adding new sites
               Optional settings for your new site
          Performing a pre-scan check
          Importing sites in bulk
               Preparing the import CSV file
               Uploading the CSV file
          Editing existing sites
          Configuring site settings
          Configuring site login details
               Configuring site login details
               Adding recorded login sequences
                    Adding recorded login sequences to Burp Suite Enterprise Edition
                    Reviewing a recorded login sequence
          Defining the scan configuration for a site
          Defining the scan configuration for a folder
               How scan configurations are combined
               How preset scan modes are combined
          Managing the site tree
               Creating folders and subfolders
               Adding individual sites to a folder
               Moving sites and folders in bulk
               Deleting sites and folders
          Using preset scan modes
          Setting up scan notifications
               Email notifications
                    Setting up email notifications when creating a new site
                    Setting up email notifications for existing sites
               Slack notifications
                    Setting up Slack notifications when creating a new site
                    Setting up Slack notifications for existing sites
     Working with scans
          Creating scans
               Create a new scan
          Viewing scan details
          Monitoring scan progress
               Reviewing scan errors
          Managing scheduled scans
               Viewing scheduled scans
               Editing scheduled scans
               Deleting scheduled scans
               Editing schedule scan configurations
          Performing bulk actions with scans
          Using custom scan configurations
               Assign a custom scan configuration to a site
               Create a custom scan configuration
               Importing scan configurations
          Configuring default false positive settings
          Configuring sites and scan data
          Downloading logs
               Download the event log
               Download the debug log
     Working with scan results
          Tracking issues over time
               Viewing the dashboard for a site
               Viewing the dashboard for a folder
               Viewing the severity trend
          Viewing issue details
               View details for a specific issue
          Handling false positives
               Mark an issue as a false positive
          Downloading reports
               Download a standard report
               Download a compliance report
               Send scan summary reports automatically
               Export issue data
          Raising tickets
               Raising GitLab issues
                    Raising GitLab issues for multiple issues
               Raising Jira tickets
                    Unlink Jira tickets
                    Raising Jira tickets for multiple issues
               Raising Trello cards
                    Raising Trello cards for multiple issues
               Raising tickets for multiple issues
                    Linking multiple issues to an existing ticket
                    Managing linked tickets
     Configuring the infrastructure
          Architecture overview
               Enterprise server
               Web server
               Scans and scanning machines
          Single vs. multi-machine deployment
               Single machine deployment
               Multi-machine deployment
          Configuring your web server
               Enabling TLS
          Configuring an HTTP proxy server
          Managing certificates for outbound connections
          Configuring your SMTP server
               Using an HTTP proxy server to connect to the SMTP server
               Connecting to an external email service
               Connecting to an internal email service
               Verifying your SMTP server connection
          Whitelisting an application for CORS
          Managing Services
               Managing Burp Suite Enterprise Edition services
                    List running services
                    Stop running services
                    Start services
          Managing updates
               Configuring automatic updates
               Manually checking for updates
               Manually installing updates
               Downtime during updates
          Managing scanning resources
               Standard deployments
               Kubernetes deployments
               Scanning machines
                    Scanning pools
                    Deploying additional scanning machines
                         Setting up a new scanning machine
                         Authorizing a new scanning machine
                    Managing scanning pools
                         Features of scanning pools
                         Create a new scanning pool
                         Reassign a scanning machine to a different pool
                         Reassign a site to a different pool
                    Assigning scan limits
                         Additional scans
               Kubernetes scanning resources
                    How does scanning work on Kubernetes?
                    Configuring scanning resources
                    Managing Kubernetes scan resources
                         Setting concurrent scan limits
                         Disabling scanning
                         Amending your license
                         Viewing active scans
          Configuring the database
               Configuring database backups
               Migrating to an external database
                    Preparing for the migration
                         Prerequisite steps for Oracle databases
                    Migrating your data
                         Running the database transfer command manually
                    Restarting the Burp Suite Enterprise Edition services
     Integrating with issue tracking platforms
          Integrating with GitLab
               (Recommended) Create a new GitLab user for the integration
               Generate a GitLab impersonation token
               Connect Burp Suite Enterprise Edition to GitLab
                    Enable GitLab issues to be raised manually
                    Enable GitLab issues to be raised automatically
               Raising GitLab issues from within Burp Suite Enterprise Edition
          Integrating with Jira
               (Recommended) Create a new Jira user for the integration
               Generate a Jira API token (Jira Cloud only)
               Connect Burp Suite Enterprise Edition to Jira
                    Enable manual Jira ticket creation
                    Enable automatic Jira ticket creation
               Manually creating Jira tickets
          Integrating with Trello
               (Recommended) Create a new Trello user for the integration
               Connect Burp Suite Enterprise Edition to Trello
                    Enable manual Trello card creation
                    Enable automatic Trello card creation
               Raising Trello cards from within Burp Suite Enterprise Edition
     Integrating with your CI/CD platform
          Overview of CI/CD platform integration
               Integration types
               Detailed instructions
          Integration types
               Site-driven scan
               Burp scan
          Create an API user
               Create a role and group for CI/CD users
               Create the CI/CD API user
               Create an API user
               Download and install the plugin
               Configure the integration
               Site-driven scan
                    Whitelist your Jenkins URL
                    Create the site-driven scan build step in Jenkins
                    Test your integration
               Burp scan
                    Create the Burp scan build step in Jenkins
                    Test your integration
               Create an API user
               Download and install the plugin
               Configure the integration
               Site-driven scan
                    Whitelist your TeamCity URL
                    Create the site-driven scan build step in TeamCity
                    Test your integration
               Burp scan
                    Create the Burp scan build step in TeamCity
                    Test your integration
          Integrating with other CI/CD platforms
               Site-driven scan
                    Add the build steps to your pipeline
                    Test your integration
               Burp scan
                    Add the build steps to your pipeline
                    Test your integration
               Parameter reference
          Optional settings
               Configuring optional settings using the native platform plugins
               Configuring optional settings using the generic CI/CD driver
               Overriding the default scan configurations from your CI/CD system
               Ignoring issues
     Integrating with other tools
          Integrating with Slack
               Create a Slack app
               Add the app to your Slack channels
               Connect your Slack app to Burp Suite Enterprise Edition
               Manage which Slack channels are available
     BApps and custom extensions
               Extension library
          Adding extensions
               Prerequisite permissions for adding extensions
               Adding a BApp to Burp Suite Enterprise Edition
               Creating a custom extension for Burp Suite Enterprise Edition
               Adding a custom extension to Burp Suite Enterprise Edition
          Managing extensions
               Viewing extension details
               Removing an extension from Burp Suite Enterprise Edition
          Scanning with extensions
               Applying extensions to a new site
               Applying an extension to an existing site
               Removing an extension from a site
     API documentation
          API overview
               Using the APIs
          Creating API users
          REST API
          GraphQL API documentation
               GraphQL API
               Getting started with the GraphQL API
                    Creating an API user
                    Structuring the GraphQL call
                    Example request
                    Using Insomnia
               GraphQL common tasks
                    Query and mutation names
                    Retrieving a list of scans
                    Retrieving the most recent scan for a site
                    Retrieving basic details for a specific scan
                    Retrieving a list of scan configurations
                    Retrieving basic site tree details
                    Retrieving scan issue information
                    Retrieving all issues for a scan
                    Retrieving detailed information about a specific issue
                    Generating a scan remediation report
                    Creating a site
                    Scheduling a new scan
                    Moving a site to a new folder
          Technical infrastructure
          Troubleshooting in Burp Suite Enterprise Edition
          API reference
          User interface
          Home page
          Sites page
               Site filters
               Site actions
          Scans page
               Scheduled scans
                    Schedule scan configurations
          Scan details
               Failed scans
          Site and scan data settings
               Automatic site creation for API-generated scans
                    How does Burp Suite Enterprise Edition decide which sites to match?
               Scan deltas
          Issue details
               Advisory tab
               Request and response tabs
               Dynamic analysis
               Standard reports
                    Included severities
                    False positives
               Compliance reports
                    Compliance report contents
                    Uncategorized issues
                    Viewing scan details
               Automatic scan summary reports
          Team page
          Settings menu
          Site-level view
               Scheduled scans
                    Site details
                    Site scope
                    Scan settings
          Folder-level view
               Folder-level dashboard
          Browser-powered scans
               How to enable browser-powered scanning for Burp Suite Enterprise Edition
                    Enabling browser-powered scanning on Linux machines
          Performing bulk actions in the site tree
               Permissions for bulk actions
     How to run Dastardly
     Integrating Dastardly with your existing CI/CD platform
     Dastardly system requirements
     Troubleshooting Dastardly
          Jenkins server requirements
          Configuring the Jenkins pipeline
          Creating the Jenkinsfile
          Viewing Dastardly scan results in Jenkins
          TeamCity agent requirements
          Creating the settings file
          Configuring the TeamCity pipeline
          Viewing Dastardly scan results in TeamCity
     Platform independent
          Dastardly scan results
          Browser sandbox
          Scanning APIs
     How do scans work?
          Core approach
          Session handling
          Detecting changes in application state
          Authenticated scanning
          Application login credentials
          Crawling volatile content
          Crawling with Burp's browser
          Audit phases
          Issue types found
          Insertion points
               Encoding data within insertion points
               Nested insertion points
               Modifying parameter locations
          Automatic session handling
          Avoiding duplication
               Consolidation of frequently occurring passive issues
               Handling of frequently occurring insertion points
          JavaScript analysis
          Handling application errors
     Authenticated scanning
          Login credentials
               How does Burp Scanner use login credentials?
               Login settings
          Identifying login and registration forms
               Why is Burp Scanner not filling in my login forms?
          Recorded login sequences
               Using recorded login sequences
          Best practice for recording login sequences
               Limitations of recorded login sequences
                    Tips for recording successful login sequences
                    Troubleshooting recorded login sequences for Burp Suite Enterprise Edition
          Recording login sequences
               Preparing the Burp Suite Navigation Recorder extension
               Recording a login sequence
               Adding recorded login sequences to Burp
          Troubleshooting recorded login sequences
     Scan configurations
          Preset scan modes
               Setting preset scan modes for folders
          Custom scan configurations
               Scan configuration structure
               Combining custom configurations
               Setting scan configurations for folders
          Built-in configurations
               Audit checks - all except JavaScript analysis
               Audit checks - all except time-based detection methods
               Audit checks - critical issues only
               Audit checks - extensions only
               Audit checks - light active
               Audit checks - medium active
               Audit checks - passive
               Audit coverage - maximum
               Audit coverage - thorough
               Crawl and audit - balanced
               Crawl and audit - deep
               Crawl and audit - fast
               Crawl and audit - lightweight
               Crawl limit - 10 minutes
               Crawl limit - 30 minutes
               Crawl limit - 60 minutes
               Crawl strategy - faster
               Crawl strategy - fastest
               Crawl strategy - more complete
               Crawl strategy - most complete
               Minimize false negatives
               Minimize false positives
               Never stop audit due to application errors
               Never stop crawl due to application errors
          Crawl options
               Crawl optimization
                    Crawl strategy
               Crawl limits
               Login functions
               Handling application errors during crawl
               Crawl project option overrides
               Miscellaneous crawl settings
                    Burp's browser options
          Audit options
               Audit optimization
               Issues reported
               Handling application errors during audit
               Insertion point types
               Modifying parameter locations
               Ignored insertion points
               Frequently occurring insertion points
               Misc insertion point options
               JavaScript analysis options
               Audit project option overrides
     Browser-powered scanning
          Use cases for browser-powered scanning
     Scanning APIs
          Starting an API scan
          Prerequisites for API definitions
          Deciding what parameters to send in the crawl
          Scannable endpoint definition
     Scanning single-page apps
          Configuring scans of SPAs
          Crawl strategy
          Routing fragments
          Non-standard clickable elements
     Burp Scanner error reference
          Burp Scanner errors in Burp Suite Professional
          Burp Scanner errors in Burp Suite Enterprise Edition
     Vulnerabilities list
Burp Collaborator
          External service interaction
          Out-of-band resource load
          Blind SQL injection
          Blind cross-site scripting
          Private or public server
          Data security
               Data storage
               Data retrieval
               Collaborator-based email addresses
          Deploying a private server
               General setup
               Setting up the domain and DNS records
               Setting up the ports and firewall
               Setting up your server resources
               Setting up the configuration file
               Launching the Collaborator server
               Health check and troubleshooting
               Basic setup
               Configuring your private server
                    Configure TLS certificates
                    Add a polling interface
                    Use CNAME settings
                    Truncate interaction messages
                    Collect usage metrics
                    Log interaction information
                    Add custom HTTP content
                    Add custom DNS records
               Example configuration file
                    Configuration file fields
                    Alternative configuration fields:
                    Collaborator health check
                    Server domain resolution
Search results