Setting the scan scope in Burp Suite Professional
Last updated: September 14, 2023
Read time: 4 Minutes
The Scan details section of the scan launcher enables you to select the scan type, and the details of what will be scanned.
You can select from the following scan types:
- Crawl and audit - This performs a crawl from one or more starting URLs, and then audit the discovered content for vulnerabilities.
- Crawl - Performs a crawl from one or more starting URLs.
- Audit selected items - This option is only available for scans initiated by selecting one or more requests/responses within Burp, and clicking Scan on the context menu.
Depending on the scan type selected, the scan launcher shows options for the scope of the scan or the individual items to be scanned.
URLs to scan
This section is displayed for Crawl and audit and Crawl scan types. You can configure one or more start URLs from which Burp will start the crawl. Burp Scanner follows any links from these URLs into the application. For more information on how Burp Scanner uses start URLs when crawling a site, see the Crawling page of the Scanner documentation.
By default, the scope of the crawl is restricted to the configured URLs, ending with the final directory (if any). For example, if you specify a start URL of
https://example.org/myapp/welcome.php, the crawler begins at this URL and crawls content within the path
Burp identifies the final directory based on the final slash (
/) in the URL. For example, if you enter
https://example.org/myapp/myfolder, all content within the path
https://example.org/myapp/ is considered in-scope. To limit the scope to the
myfolder directory, you would need to enter
You can override the default behavior and provide a different scope configuration by opening the Detailed scope configuration toggle. This enables you to define the scope of the crawl using either URL prefixes or advanced matching rules, as for Burp's Target scope. Note that you still need to specify the URLs to scan, since these are the starting points for the crawl, and the URLs to scan must fall within the defined scope.
You can use wildcards when you set a simple scope using URL prefixes. This enables you to simplify your list of in-scope URLs.
For example, you can use wildcards to quickly and easily add all subdomains of the target domain to scope:
*.example.com- This matches any subdomains of
example.com. For example,
abc.example.com. It doesn't match
*example.com- This matches any subdomains of
example.com, as well as
The wildcard can only be used at the beginning of the hostname section of the URL.
Wildcards are not supported in the URLs to scan field.
When using advanced scope control, * has its usual regex language meaning.
For scans using Burp's browser, Burp accepts URLs with fragments (
#). This enables Burp Scanner to handle client-side routing found in React apps and single-page applications. However, the legacy crawling engine does not support URL fragments. If browser-powered scanning is disabled in your scan configuration, you cannot include a fragment in any start URLs.
If you attempt to include a URL fragment with browser-powered scanning disabled, an error message appears. To do this, go to the Miscellaneous crawl settings of your scan configuration and use the drop-down menu to enable Use Burp's browser for Crawl and Audit.
Specifying the protocol for each URL is optional. To control which protocols are used to scan your URLs, select one of the following options:
- Scan using HTTP & HTTPS - When this option is selected, all of your URLs are scanned using both HTTP and HTTPS, regardless of whether you explicitly specified a protocol in the list of URLs.
- Scan using my specified protocols - When this option is selected, Burp Scanner scans the URLs using the protocols that you specify. For example, if you only include the URL
http://example.org, the URL
https://example.orgis not scanned. Any URLs for which no protocol is specified are still scanned using both HTTP and HTTPS.
If Burp identifies that the content at a given location is the same for both protocols then it only scans that location once, even if you choose to scan using both HTTP and HTTPS.
Advanced scan parameters
This section contains the Run isolated scan setting. Results from isolated scans do not appear in the Target > Site map or Target > Crawl paths tabs, or on the Dashboard issue activity log. It can be useful to isolate a scan if you want to test scan configurations without impacting "live" scan results, for example.
You can view site map and crawl path information for an isolated scan from the Tasks > View details > Target tab. For more information on these tabs see:
Items to scan
This section is displayed for the Audit selected items scan type. The URLs of the selected items are listed. Note that the same URL appears more than once if there are multiple requests to the same URL with different parameters.
Where you have a lot of items to scan, it is often useful to consolidate the selected items to improve the efficiency of the scan. Click Consolidate items to display a wizard that enables you to choose to remove certain items:
- Duplicate items in the selection (those with matching URL and parameter names).
- Out-of-scope items (based on the current suite scope).
- Items with no parameters.
- Items with specific file extensions.
For each option, Burp shows the number of affected items. Any options that would result in none or all of the items being removed are unavailable.
The consolidation wizard then displays the full list of items that will be scanned. You can double-click any item in the list to view the full request and response. You can also remove any further items that you do not wish to scan manually.
Was this article helpful?
An error occurred, please try again.