Last updated: September 14, 2023
Read time: 3 Minutes
You can use the reporting wizard to customize the format and content of your report.
You can generate a report in HTML format. This is the best choice if you want to print your report, or view it in a browser. You can also export issue data in XML format. This is useful if you want to import information about issues into other tools or reporting frameworks.
If you export issue data, you can choose to Base64-encode HTTP requests and responses within the XML output. This is useful because HTTP messages may contain nonprinting characters that are not permitted in XML documents, even in CDATA blocks. If you Base64-encode HTTP requests, you can make sure that your report is compatible with strict XML parsers.
The XML file includes an internal Document Type Definition (DTD), which defines its structure and attributes. If you are an author of interoperability code, you can export issue data for any chosen issue, and view the XML file to see the DTD.
The report uses the following XML elements:
serialNumberelement contains a long integer that is unique to that individual issue instance. If you export a list of current issues several times from the same instance of Burp, you can use the serial number to identify incrementally new issues.
typeelement contains an integer that uniquely identifies the issue type, such as SQL injection, or XSS. This value is constant across different instances of Burp. See the list of scan issue types for a list of all numeric type identifiers.
nameelement contains the descriptive name for the issue type. See the list of scan issue types for a list of all issue names.
pathelement contains the URL for the issue. It excludes the query string.
If relevant, the
locationelement includes the URL and a description of the entry point for the attack. For example, it may contain a specific URL parameter, or a request header.
responseelements contain a
base64attribute. It contains a Boolean value that indicates if the messages are Base64-encoded.
You can choose the types of details to include in the report:
- Issue background - The standard description of the issue. This is the same for all issues of the same type.
- Remediation background - The standard remediation advice. This is the same for all issues of the same type.
- Issue detail - Specific information about the issue, if relevant.
- Remediation detail - Specific remediation advice for the issue, if relevant.
- Vulnerability classifications - Mappings to the Common Weakness Enumeration (CWE) list.
You can choose how HTTP messages appear in the report. Select the following options for requests and responses:
- Do not include - The report excludes messages of the selected type.
- Include relevant extract - The report includes the parts of the message that are highlighted in the in-tool results. It also includes some of the surrounding message, to give context.
- Include in full - The report includes the full messages, which may include content that doesn't directly help to understand or reproduce the issue. You can limit each message to a maximum length, so that the report doesn't become too large.
Selecting issue types
The wizard lists the different types of issues in your selection, and a count of the number of instances of each type. You can deselect issues by type. This is useful if you select a large number of issues, and want to remove less interesting issues from the report.
For HTML reports, you can specify the following details:
- Report title.
How issues should be organized within the report:
- By type.
- By severity.
- By URL.
- The number of levels of detail to include in the table of contents.
- The severities of issue to include in the summary table and bar chart.
Was this article helpful?
An error occurred, please try again.