ENTERPRISEPROFESSIONAL

Burp Scanner built-in configurations

Last updated: July 1, 2022
Read time: 8 Minutes

As part of its configuration library, Burp Suite comes with a number of built-in scan configurations that allow you to quickly modify how Burp Scanner crawls and audits web applications. In this section, we'll provide some information to help you understand what these built-in configurations do and why you might use them.

More information on scan configurations:

Audit checks - all except JavaScript analysis

Settings changed

Disables JavaScript analysis in the Issues Reported options.

Example use cases

This configuration disables resource-intensive JavaScript analysis in the Issues Reported options which can significantly improve performance. You can also set limits for the time Burp Scanner spends executing JavaScript. Dynamic JavaScript analysis also requires Burp's browser, so disabling it may be desirable if the scanning machine does not have the resources to run the browser well.

Audit checks - all except time-based detection methods

Settings changed

Disables time-based detection methods in the Issues Reported options. These are detection methods based on response time, typically used for detecting blind vulnerabilities.

Example use cases

This configuration reduces the time taken for a scan, as time-based detection methods include intentionally causing page time-outs and making database sleep calls.

Audit checks - critical issues only

Settings changed

Selects only the most critical issues to audit in the Issues Reported options.

Example use cases

This configuration scans for critical issues only, without spending time checking for non-critical issues. These are the most likely to cause damage or data loss to the web application.

Audit checks - extensions only

Settings changed

Selects only Extension generated issues in the Issues Reported options.

Example use cases

This configuration only scans for custom issues generated by Burp Scanner extensions. This is useful for focusing on a specific issue using an extension or debugging how an extension is functioning.

Audit checks - light active

Settings changed

Performs only Passive, Light active, and JavaScript analysis audit checks in the Issues Reported options. Passive issues are those that can be detected by examining the application's normal requests and responses. Light active issues require only a small number of benign additional requests. JavaScript analysis executes the JavaScript code of the site to check it for vulnerabilities. This disables the more intrusive Medium active and Intrusive active audit checks.

Example use cases

This configuration skips Medium active and Intrusive active audit checks during the audit phase of the scan. This significantly reduces the risk of the web application being damaged, data loss occurring, or performance issues and unusual behavior resulting from the audit phase of the scan.

Audit checks - medium active

Settings changed

Selects Passive, Light active, Medium active, and JavaScript analysis audit checks in the Issues Reported options. Passive issues are those that can be detected by examining the application's normal requests and responses. Light active issues require only a small number of benign additional requests. Medium active issues require Burp Scanner to make requests that might be regarded as malicious. JavaScript analysis executes the JavaScript code of the site to check it for vulnerabilities. This disables the Intrusive active audit checks.

Example use cases

This configuration skips the Intrusive active audit check. This should reduce the risk of Burp Scanner damaging the web application, or causing data loss. Medium active and Light active scans may still impact the smooth running of the web application.

Audit checks - passive

Settings changed

Selects only the Passive audit checks in the Issues Reported options. Passive issues are those that can be detected by auditing normal requests and responses. This type of scan is completely non-intrusive and should not impact the functioning of the web application.

Example use cases

This configuration results in an entirely non-intrusive scan of a web application. This should not adversely affect the smooth running of the web application in any way.

Audit coverage - maximum

Settings changed

Selects a set of audit phase options designed to maximize coverage. Selects the most extensive set of payload variations and insertion point options possible. Disables optimization options designed to speed up tests, or skip potentially redundant/ineffective tests. Disables passive issue consolidation. Enables JavaScript analysis and sets a 10 minute maximum execution time.

Example use cases

This configuration results in the most exhaustive scan possible, ensuring no potential issues are missed. This may result in duplicated reporting of issues, and scans being more time / resource-intensive.

Audit coverage - thorough

Settings changed

Sets the Audit speed option to Thorough in the Audit Optimization options.

Example use cases

This configuration will try more payload variations during audit phase than using the default Normal setting, at the expense of some speed. This may discover some additional edge case issues.

Crawl and audit - balanced

Settings changed

Based on the Balanced scan mode. This configuration uses a combination of crawl and audit settings that should see scans complete in a few hours.

Example use cases

This configuration is useful for general-purpose scanning. It is designed to give a good balance between coverage and speed.

Crawl and audit - deep

Settings changed

Based on the Deep scan mode. This configuration uses a combination of crawl and audit settings that are intended to give a high level of coverage. The time taken to run a scan using the Deep configuration depends heavily on the site's size and complexity.

Example use cases

This configuration is most useful as a means of getting an in-depth look at a site's security posture.

Crawl and audit - fast

Settings changed

Based on the Fast scan mode. This configuration uses a combination of crawl and audit settings that should see scans complete in around an hour.

Example use cases

This configuration is useful if you need to get a general overview of a site's security posture quickly.

Crawl and audit - lightweight

Settings changed

Based on the Lightweight scan mode. Uses a combination of crawl and audit settings intended to give a very high-level overview of a target as quickly as possible. This configuration sets a maximum length of 15 minutes on all scans.

Example use cases

This configuration is useful in situations where you need fast feedback on a target, such as scanning as part of a CI/CD pipeline. It can also help you to plan your manual penetration testing, enabling you to quickly map out an attack surface and find any obvious vulnerabilities.

Crawl limit - 10 minutes

Settings changed

Limits the crawl phase to 10 minutes Maximum crawl time and 1500 Maximum unique locations discovered in the Crawl Limits options.

Example use cases

This configuration results in a quicker crawl phase for large sites. Burp Scanner goes for breadth-first, so limiting time will potentially result in a shallower crawl but will still achieve good coverage of the site.

Crawl limit - 30 minutes

Settings changed

Limits the crawl phase to 30 minutes Maximum crawl time and 1500 Maximum unique locations discovered in the Crawl Limits options.

Example use cases

Crawl limit - 60 minutes

Settings changed

Limits the crawl phase to 60 minutes Maximum crawl time and 1500 Maximum unique locations discovered in the Crawl Limits options.

Example use cases

Crawl strategy - faster

Settings changed

Sets the Crawl strategy option to Faster in the Crawl Optimization options.

Example use cases

This configuration allows you to tune the crawl phase of a scan to run faster for web applications where the URLs are largely static and stateful functionality is limited.

Crawl strategy - fastest

Settings changed

Sets the Crawl strategy option to Fastest in the Crawl Optimization options.

Example use cases

This configuration allows you to tune the crawl phase of a scan to run at its fastest for web applications where the URLs are entirely static and no stateful functionality is present.

Crawl strategy - more complete

Settings changed

Sets the Crawl strategy to More complete in the Crawl Optimization options.

Example use cases

This configuration allows you to tune the crawl phase of a scan for web applications with more volatile, or overloaded URLs, and/or more complex stateful functionality, at the expense of some speed.

Crawl strategy - most complete

Settings changed

Sets the Crawl strategy to Most complete in the Crawl Optimization options.

Example use cases

This configuration allows you to tune the crawl phase of a scan for web applications with very volatile, or overloaded URLs, and/or very complex stateful functionality, at the expense of speed.

Minimize false negatives

Settings changed

Sets the Audit accuracy to Minimize false negatives in the Audit Optimization options.

Example use cases

This configuration will minimize false negatives for some vulnerability types at the expense of some potential false positives. This will ensure that no potential issues are missed.

Minimize false positives

Settings changed

Sets the Audit accuracy to Minimize false positives in the Audit Optimization options.

Example use cases

This configuration will minimize false positives for some vulnerability types at the expense of some potential false negatives. It can also increase scan time because minimizing false positives requires re-scanning potential vulnerabilities.

Never stop audit due to application errors

Settings changed

Sets Burp Scanner not to pause the task if it encounters multiple consecutive errors during the audit phase. Overrides the default setting of pausing if 10 consecutive audit items fail.

Example use cases

By default Burp Scanner is set to pause the audit phase of a scan if it encounters 10 consecutive errors. It can also be set to pause on a specified percentage of failed requests. This is to avoid wasting time scanning a broken or unavailable web application. This configuration will override those settings and may be preferable for unattended scanning.

Never stop crawl due to application errors

Settings changed

Sets Burp Scanner not to pause the scan if it encounters multiple consecutive errors during the crawl phase. Overrides the default setting of pausing if 10 consecutive crawl items fail.

Example use cases

By default Burp Scanner is set to pause the crawl phase of a scan if it encounters 10 consecutive errors. It can also be set to pause on a specified percentage of failed requests. This is to avoid wasting time scanning a broken or unavailable web application. This configuration will override those settings and may be preferable for unattended scanning.