4. Run your first scan
Last updated: September 9, 2021
Read time: 4 Minutes
Burp Scanner can be used as both a fully automated scanner and a powerful means of augmenting your manual testing workflow. The list of vulnerabilities that Burp Scanner can detect is constantly growing. We work closely with our world-class research team to make sure that it stays up to speed with the latest techniques for finding both classic bugs and newly discovered vulnerabilities alike.
Scanning a website involves two phases:
- Crawling for content and functionality: Burp Scanner first navigates around the target site, closely mirroring the behavior of real users. It catalogs the structure and content of the site, and the paths used to navigate it, in order to build a comprehensive map of the site.
- Auditing for vulnerabilities: The audit phase of a scan involves analyzing the website's behavior to identify security vulnerabilities and other issues. Burp Scanner employs a wide range of techniques to deliver a high-coverage, accurate audit of the target.
Burp Scanner is only available with Burp Suite Professional. If you're using Burp Suite Community Edition, you won't be able to follow this tutorial.
Scanning a website
In this section, you'll learn how to launch your first automated vulnerability scan.
Step 1: Open the scan launcher
Go to the Dashboard tab and select New scan.
The Scan launcher dialog opens. This is where you can adjust various settings to control Burp Scanner's behavior.
Step 2: Enter the URL of the target site
In the URLs to scan field, enter
portswigger-labs.net. Leave all the other settings as their default for now.
Using Burp Scanner may have unexpected effects on some applications. Until you are fully familiar with its functionality and settings, you should only use Burp Scanner against non-production systems. Do not run scans against third-party websites unless you have been authorized to do so by the owner.
Step 3: Launch the scan
Click OK to launch the scan. Burp Scanner will begin crawling from the URL you entered in the previous step.
Notice that a new task has been added to the Dashboard to represent this scan. This displays some key information, such as the phase of the scan that is currently running, how many requests have been sent, and so on.
While your scan is running, proceed to Step 4.
Step 4: See the crawl in action
Go to the Target > Site map tab and notice the new entry for
portswigger-labs.net. Expand this node to see all of the content that the crawler has managed to discover
so far. If you wait a few seconds, you'll see the map being updated in real time.
Step 5: View the identified issues
Monitor the scan's status in the dashboard. After a minute or two, the crawl will finish and Burp Scanner will begin auditing for vulnerabilities. As it finds issues, these will be displayed in the Issue activity panel on the Dashboard tab.
If you select an issue, you can see an Advisory tab, which contains key information about the issue type, including a detailed description and some remediation advice. Next to this are several tabs that provide evidence that Burp Scanner found for this issue. This is typically a Request and Response but will differ depending on the issue type.
Generating a report
In this section, you'll learn how to generate a report based on your scan results.
Step 1: Select the relevant issues
Go to the Target > Site map tab, right-click on the entry for
https://portswigger-labs.net, and select Issues > Report issues for this host.
Step 2: Configure the report options
A wizard guides you through various options, such as which file format to use, how much detail to include, and so on. For now, just click Next to accept the defaults until you're prompted to enter a filename and location for the report.
Step 3: Generate and save the report
Click Select file and choose a location where you want to save the report. Enter a name for the file.
You must include the appropriate file extension, in this case,
Click Save and then Next to generate the report.
Step 4: View and share your report
Open the report in your browser to see what it contains. This is useful for reporting the results of your scans to colleagues or clients.
You've just performed your first scan using Burp Suite and generated a report of your findings.
Next step - Continue learning about BurpCONTINUE