PROFESSIONAL

Scanning specific HTTP messages

  • Last updated: September 14, 2023

  • Read time: 2 Minutes

Scanning specific HTTP messages makes it easy to run focused scans on a particular set of requests or responses.

You can scan HTTP messages from most places that display HTTP traffic in Burp Suite. In tools that display lists of HTTP requests (such as the Site map and HTTP history tabs) you can select multiple entries to scan.

To scan the selected HTTP messages, right-click and select one of the scan options from the context menu. There are three options available:

  • Scan. This menu item has two options:

    • Open scan launcher. This opens a scan launcher window from where you can configure the scan.
    • Add to task. This enables you to add a scan of the message to a pre-existing task.
  • Do passive scan. Burp Scanner analyzes the contents of the base request and response, rather than sending its own requests.

  • Do active scan. Burp Scanner sends its own requests to the target to probe for vulnerabilities.

Configuring the scan

The scan launcher window used to configure scans of specific HTTP messages is similar to that displayed when you click the New Scan button, but with some key differences.

To configure a scan of specific HTTP messages:

  1. Right-click the messages required and select Scan > Open scan launcher.

  2. From the Scan details tab, select the Scan type you want to run:

    • Crawl and audit.
    • Crawl.
    • Audit selected items. This is the default option, and is only available when scanning specific HTTP messages.
  3. Select the task that you want the scan to run under:

    • To add the scan to an existing task, select Add to task and select the required task from the list.
    • To have the scan run under its own task, select Create new task.
  4. Optionally, select Consolidate items to remove unnecessary messages from the scan. You can consolidate items using the following criteria:

    • Duplicates (messages that have the same URLs and parameters).
    • Out-of-scope messages based on the current suite scope.
    • Messages with no parameters.
    • Messages with a specified file extension.
  5. Optionally, specify details for the remaining launcher tabs:

    • Scan configuration. Preset scan modes are not available when scanning specific HTTP messages. You can use scan configurations from the library as usual.
    • Application login. You cannot specify application logins if you are using the Audit selected items scan mode.
    • Resource pool.
  6. Click OK to start the scan.

Related pages

Was this article helpful?