Get involved in the Burp challenge for opportunities to test your skills and win swag  –   Challenge me

PROFESSIONAL

Scanning web sites

  • Last updated: November 25, 2022

  • Read time: 5 Minutes

Burp Scanner automates the task of scanning web sites for content and vulnerabilities. Depending on configuration, the Scanner can crawl the application to discover its content and functionality, and audit the application to discover vulnerabilities. By default, all scans will use Burp's browser to ensure maximum coverage through browser-powered scanning. You can also provide sets of user credentials so that Burp Scanner can discover and audit content that is only accessible to authenticated users. Importing full login sequences even enables Burp Scanner to handle more complex login mechanisms, including single sign-on.

Launching scans

Scans can be launched in a variety of ways:

  • Scan from specific URLs. This performs a scan by crawling the content within one or more provided URLs, and optionally auditing the crawled content. To do this, go to the Burp Dashboard, and click the New scan button. This will open the scan launcher which lets you configure details of the scan.
  • Scan selected items. This lets you perform an audit-only scan (no crawling) of specific HTTP requests. To do this, select one or more requests anywhere within Burp, and select Scan from the context menu. This will open the scan launcher which lets you configure details of the scan.
  • Live tasks. You can use live tasks to automatically scan requests that are processed by other Burp tools, such as the Proxy or Repeater tools. You can configure precisely which requests are processed, and whether they should be scanned to identify content or audit for vulnerabilities. To do this, go to the Burp Dashboard, and click the New live task button. This will open the live task launcher which lets you configure details of the task.
  • Instant scanning. You can also launch instant active or passive scans from the context menu. This means you can quickly check for vulnerabilities without having to open the scan launcher. You can access these options by right-clicking on a request. Alternatively, you can configure hotkeys for triggering instant scans.

Configuring scans

When configuring scans in Burp Suite, you can either select a preset scan mode or define a custom configuration. To manage configuration for a scan, select the Scan Configuration tab.

Using preset scan modes

Burp Scanner's preset scan modes are predefined collections of scan settings. They offer a quick way to adjust how the scan balances speed and coverage. To select a preset scan mode, ensure that the Use a preset scan mode radio button is selected and click one of the available options.

Burp Scanner offers four preset scan modes, listed from the fastest to the greatest coverage:

  • Lightweight
  • Fast
  • Balanced
  • Deep

If you select the Remember my choice for future scans checkbox, then Burp Suite remembers the selected scan mode the next time you open the scan launcher.

Using a custom configuration

Using a custom scan configuration enables you to fine-tune Burp Scanner's behavior to meet your needs.

There are two types of custom configuration in Burp Suite:

  • Crawl. These options control behavior like maximum link depth, how the crawler optimizes for speed versus coverage, and limits on the extent of the crawl. You can also enable or disable some of Burp Scanner's miscellaneous features, such as browser-powered scanning and API scanning.
  • Audit. These options control behavior like the handling of insertion points and what detection methods are employed. These options are very important in controlling what type of audit activity will be performed, from a lightweight purely passive analysis through to a heavyweight invasive scan.

Click Use a custom configuration to display a list of your existing configurations. From here, you can add to the list, reorder the list, or remove configurations altogether.

You can apply configurations to the scan by:

  • Creating an entirely new configuration.
  • Selecting an existing configuration from your configuration library.
  • Importing a configuration from another installation of Burp Suite.

Creating a new configuration

To create a new scan configuration:

  1. Click New and select either Crawling or Auditing from the context menu to display a list of configuration options.
  2. Enter a Configuration name.
  3. Expand the sections on the page and select the configuration options you require.
  4. Optionally, select the Save to library checkbox to add your new configuration to the library when it is saved.
  5. Click Save.

Note

For an in-depth explanation of the options available when creating a custom scan configuration, see the Crawl options and Audit options pages.

Loading a configuration from the library

To load a configuration from the configuration library, click Select from library and select a configuration from the modal box. The configuration library contains any custom configurations that you have saved, along with some built-in configurations.

Note

For more information on the built-in configurations available in Burp Suite, see the Burp Scanner built-in configurations page.

Importing configurations

To import a configuration, click Import and select the JSON configuration file you want to import from the dialog box.

Importing configuration files enables you to use external configurations (that is, scan configurations that you have exported from other installations of Burp Suite or Burp Suite Enterprise Edition) in your current installation of Burp Suite.

More information

For more information on exporting configuration files from the desktop editions for Burp, see the Desktop - Configurations page.

Stacking multiple configurations

When defining custom configurations, you can specify multiple configurations for a single site. Burp Scanner applies any selected configurations in order, enabling you to further fine-tune scanning behaviour. In practice, this means that any options specified for a particular setting take precedence over equivalent settings for configurations higher in the list.

Config name Max crawl time Max locations Max request count
Default 150 1500 0
Config 1 100 - 50
Config 2 200 - -
Settings used 200 1500 50

This example shows two selected configurations, which combine with the default configuration when the site is scanned.

Note

For simplicity, the above example focuses on the settings in the Crawling > Crawl Limits section of the scan configuration setup. However, the principles shown apply to all configuration settings.

Monitoring scan activity

You can monitor the progress and results of a scan in various ways:

Reporting

You can generate reports of issues found via Burp Scanner in HTML format. You can also export issues in XML format suitable for importing into other tools.

Additional information

You can find addition information about specific topics on the following Support pages:

Was this article helpful?