Scanning web sites
Last updated: August 25, 2022
Read time: 5 Minutes
Burp Scanner automates the task of scanning web sites for content and vulnerabilities. Depending on configuration, the Scanner can crawl the application to discover its content and functionality, and audit the application to discover vulnerabilities. By default, all scans will use Burp's browser to ensure maximum coverage through browser-powered scanning. You can also provide sets of user credentials so that Burp Scanner can discover and audit content that is only accessible to authenticated users. Importing full login sequences even enables Burp Scanner to handle more complex login mechanisms, including single sign-on.
Scans can be launched in a variety of ways:
- Scan from specific URLs. This performs a scan by crawling the content within one or more provided URLs, and optionally auditing the crawled content. To do this, go to the Burp Dashboard, and click the New scan button. This will open the scan launcher which lets you configure details of the scan.
- Scan selected items. This lets you perform an audit-only scan (no crawling) of specific HTTP requests. To do this, select one or more requests anywhere within Burp, and select Scan from the context menu. This will open the scan launcher which lets you configure details of the scan.
- Live scanning. You can use live scans to automatically scan requests that are processed by other Burp tools, such as the Proxy or Repeater tools. You can configure precisely which requests are processed, and whether they should be scanned to identify content or audit for vulnerabilities. To do this, go to the Burp Dashboard, and click the New live task button. This will open the live scan launcher which lets you configure details of the task.
- Instant scanning. You can also launch instant active or passive scans from the context menu. This means you can quickly check for vulnerabilities without having to open the scan launcher. You can access these options by right-clicking on a request. Alternatively, you can configure hotkeys for triggering instant scans.
When configuring scans in Burp Suite, you can either select a preset scan mode or define a custom configuration. To manage configuration for a scan, select the Scan Configuration tab.
Using preset scan modes
Burp Scanner's preset scan modes are predefined collections of scan settings. They offer a quick way to adjust how the scan balances speed and coverage. To select a preset scan mode, ensure that the Use a preset scan mode radio button is selected and click one of the available options.
Burp Scanner offers four preset scan modes, listed from the fastest to the greatest coverage:
If you select the Remember my choice for future scans checkbox, then Burp Suite remembers the selected scan mode the next time you open the scan launcher.
Using a custom configuration
Using a custom scan configuration enables you to fine-tune Burp Scanner's behavior to meet your needs.
There are two types of custom configuration in Burp Suite:
- Crawl. These options control behavior like maximum link depth, how the crawler optimizes for speed versus coverage, and limits on the extent of the crawl. You can also enable or disable some of Burp Scanner's miscellaneous features, such as browser-powered scanning and API scanning.
- Audit. These options control behavior like the handling of insertion points and what detection methods are employed. These options are very important in controlling what type of audit activity will be performed, from a lightweight purely passive analysis through to a heavyweight invasive scan.
Click Use a custom configuration to display a list of your existing configurations. From here, you can add to the list, reorder the list, or remove configurations altogether.
You can apply configurations to the scan by:
- Creating an entirely new configuration.
- Selecting an existing configuration from your configuration library.
- Importing a configuration from another installation of Burp Suite.
Creating a new configuration
To create a new scan configuration:
- Click New and select either Crawling or Auditing from the context menu to display a list of configuration options.
- Enter a Configuration name.
- Expand the sections on the page and select the configuration options you require.
- Optionally, select the Save to library checkbox to add your new configuration to the library when it is saved.
- Click Save.
Loading a configuration from the library
To load a configuration from the configuration library, click Select from library and select a configuration from the modal box. The configuration library contains any custom configurations that you have saved, along with some built-in configurations.
For more information on the built-in configurations available in Burp Suite, see the Burp Scanner built-in configurations page.
To import a configuration, click Import and select the JSON configuration file you want to import from the dialog box.
Importing configuration files enables you to use external configurations (that is, scan configurations that you have exported from other installations of Burp Suite or Burp Suite Enterprise Edition) in your current installation of Burp Suite.
For more information on exporting configuration files from the desktop editions for Burp, see the Desktop - Configurations page.
Stacking multiple configurations
When defining custom configurations, you can specify multiple configurations for a single site. Burp Scanner applies any selected configurations in order, enabling you to further fine-tune scanning behaviour. In practice, this means that any options specified for a particular setting take precedence over equivalent settings for configurations higher in the list.
|Config name||Max crawl time||Max locations||Max request count|
This example shows two selected configurations, which combine with the default configuration when the site is scanned.
For simplicity, the above example focuses on the settings in the Crawling > Crawl Limits section of the scan configuration setup. However, the principles shown apply to all configuration settings.
Monitoring scan activity
You can monitor the progress and results of a scan in various ways:
- The Burp Dashboard shows metrics about the progress of each task, and the issue activity log shows the issues that are reported by all scanning tasks.
- You can open the task details window for an individual scan, to view the issue activity log for only that scan, and a detailed view of the audit items for applicable tasks.
- The Target site map shows all of the content and issues that have been identified, organized by domain and URL.
You can generate reports of issues found via Burp Scanner in HTML format. You can also export issues in XML format suitable for importing into other tools.
You can find addition information about specific topics on the following Support pages:
- Troubleshooting performance issues
- Using Burp to Manually Verify Scanner Issues
- Integrating Burp Suite with Acunetix Vulnerability Scanner
- Integrating Burp Suite with HP WebInspect
- Integrating Burp Suite with ThreadFix
Was this article helpful?
An error occurred, please try again.