Troubleshooting performance issues in Burp Suite

  • Last updated: October 6, 2021

  • Read time: 5 Minutes

There are circumstances in which Burp Suite can run slowly. In this section, we'll describe some quick steps you can take to troubleshoot performance issues in Burp Suite and increase the efficiency of your testing.

Check the minimum system requirements

All editions of Burp Suite require 64-bit hardware. For the best experience with Burp Suite Professional, we recommend using a machine with at least 8 GB of memory and 2 CPU cores. If you are performing large amounts of work, or testing large or complex applications, you may need a more powerful machine than this.

Identify potential bottlenecks: CPU, memory, and network

Burp Suite places additional load on your machine's CPU and memory, and on the network over which it runs.

Optimize CPU usage

Manage Burp's CPU use by disabling certain features and configuring scans in the following ways:

Disabling pretty printing

Wherever HTTP requests or responses are displayed in Burp Suite, such as in the "Target" tab or in Burp Repeater, you have the option to view a prettified version of the message as well as the raw content. Prettifying larger files, especially JavaScript files, can take some time. By default, Burp Suite uses the "Pretty" view for all supported content types. However, if you find that this is causing poor performance, you can disable this option so that the "Raw" view is used instead. To do this:

  1. Select the "User options" and then "Display" tabs.
  2. Under the "HTTP Message Display" section, uncheck the "Pretty print by default" box.

Disabling JavaScript analysis

JavaScript analysis is computationally expensive and can slow down the auditing phase of a scan. If you are not interested in the JavaScript running on your target, disable the analysis as follows:

  1. Select "Burp" from the main menu and then "Configuration library".
  2. Select a new scan configuration or edit an existing one. Select "Auditing".
  3. Expand the "Issues Reported" section.
  4. Uncheck the "JavaScript Analysis" box.
  5. Save the configuration and select "OK".

Configuring your scans for performance

Burp Scanner has many configurable options for optimizing performance during both the crawl and audit phases. Configure scans to improve performance as follows:

  1. Select "Burp" from the main menu and then "Configuration library".
  2. Create a new scan configuration or edit an existing one.
  3. Alter the configuration as described in the following two sections.
  4. Save the edited configuration.

To optimize performance during crawling:

  • In the "Crawl Optimization" area, select the "Faster" or "Fastest" crawl strategies. There is some risk of losing coverage when using either of these strategies, but they may still be suitable for scanning mostly static targets.
  • In the "Crawl Optimization" area, reduce the "Maximum link depth" if the locations relevant to your work are being found early in the scan.
  • Likewise, in the "Crawl Limits" area, reduce the "Maximum crawl time" if you are finding the relevant locations early in the scan.

To optimize performance during auditing:

  • In the "Issues Reported" area, uncheck the "Intrusive active" option. Intrusive auditing is computationally expensive, and some intrusive scans rely on a target timing out, so can take considerable time to complete. Doing this will miss vulnerabilities that are detected only by intrusive techniques, however.
  • Likewise, unchecking the "Medium active" option in the same area will speed up performance, at the cost of missing vulnerabilities that are detected by medium active techniques.
  • In the "Audit Optimization" area, set "Audit speed" to "Fast" to increase performance at the cost of thoroughness. Also, unchecking "Automatically maintain session" in the same area will improve performance, but this should not be done unless the target site is mostly static. A third option, under "Ignored Insertion Points", is to limit which insertion points are audited if you are not interested in looking for certain vulnerability types or locations.

Narrowing the scope of your scans

Ensure that you are only scanning the areas of the target site that you are interested in. Narrowing your scope will improve performance. Fine-tune the scope of a scan from the "Detailed scope configuration" area of the scan launcher.

Scanning a single protocol

If your target only supports one of HTTP and HTTPS, ensure that Burp Scanner only sends requests using the supported protocol. In "Scan details", in the "URLs to scan" section, include the desired protocol in each URL that you want to scan. Then select "Scan using my specified protocols" in the same area.

Optimize memory usage

Optimize your memory usage in the following ways:

Disabling extensions

Burp Suite extensions are useful, but can increase the load on your system. PortSwigger does not test extensions for resource optimization and some extensions will impact Burp Suite's performance. It is best to be cautious about the extensions you use and remove any that you do not need. If Burp Suite appears to be using an excessive amount of memory, try disabling your extensions one by one to discover if any of them are causing problems.

Allocating more memory to the Java machine

Burp Suite is constrained by the amount of memory your machine allocates to Java. If you launch Burp from the command line, you can use command line arguments to allocate more memory. The procedure is detailed here.

Using a disk-based project

Temporary projects have more demands on memory than disk-based projects, as all the project data needs to be stored in memory rather than on a disk. If your memory use is maximized, switching to a disk-based project will move some of the load from memory to a hard disk. However, note that RAM is faster than hard drives, and it's possible that doing this will introduce delays, especially if your disks are slow (e.g. hard disk drives rather than solid state drives). You may need to experiment to see whether disk-based or temporary projects are faster for you. You can convert a temporary project to a disk-based project by going to the Project menu and selecting "Save copy".

Optimize network usage

Manage network issues in the following ways:

Reducing concurrent scans

To reduce the load on your network, reduce the number of scans running together.

Configuring resource pools

Burp Suite can overload target applications by sending requests faster than a target can handle or will allow during active scans. Stop requests hanging or timing out by reducing the number of requests that Burp Suite makes at once:

  1. Click on the cog icon next to "New Live Task" to bring up the "Settings" dialogue.
  2. Create a new resource pool or edit an existing one, and reduce the maximum number of concurrent tasks.
  3. Save the resource pool.