You can launch scans via the "New scan" button on the Burp Dashboard or the "Scan" option on the context menu that appears throughout Burp. Using one of these methods will display the scan launcher, which lets you configure various details of the scan.
The "Scan details" section of the scan launcher lets you select the scan type, and the details of what will be scanned.
The following scan types can be selected:
- Crawl and audit - This will perform a crawl from one or more starting URLs, and then audit the discovered content for vulnerabilities.
- Crawl - This will perform a crawl from one or more starting URLs.
- Audit selected items - This option is only available when the launcher was initiated by selecting one or more requests/responses within Burp, and choosing the "Scan" option on the context menu.
Depending on the scan type that is selected, the scan launcher will show options for the scope of the scan or the individual items to be scanned.
URLs to scan
This section is displayed for "Crawl and audit" and "Crawl" scan types. You can configure one or more seed URLs from which Burp will start the crawl. It will follow any links from these URLs into the application.
By default, the scope of the crawl will be restricted to the configured URLs, truncated to the final directory (if any). For example, if you specify a seed URL of
https://example.org/myapp/welcome.php, the crawler will begin at this URL and will crawl content within the path
Burp identifies the final directory based on the final slash (
/) in the URL. For example, if you enter
https://example.org/myapp/myfolder, all content within the path
https://example.org/myapp/ will be considered in-scope. To limit the scope to the
myfolder directory, you would need to enter
You can override the default behavior and provide a different scope configuration by opening the "Detailed scope configuration" toggle. This lets you define the scope of the crawl using either URL prefixes or advanced matching rules, as for Burp's Target scope. Note that you still need to specify the URLs to scan, since these are the starting points for the crawl, and the URLs to scan must fall within the defined scope.
For scans using its embedded browser, Burp accepts seed URLs with fragments (#). However, the legacy crawling engine does not support this. If browser-powered scanning is disabled in your scan configuration, you cannot include a fragment in any seed URLs. If you do, an error message will appear when you try to start the scan informing you that you need to enable the embedded browser. To do this, go to the miscellaneous crawl settings of your scan configuration and use the drop-down menu to enable the "Use embedded browser for Crawl and Audit" option.
Specifying the protocol for each URL is optional. You control which protocols are used to scan your URLs centrally by selecting one of the following options:
- Scan using HTTP & HTTPS - When this option is selected, all of your URLs will be scanned using both HTTP and HTTPS, regardless of whether you explicitly specified a protocol in the list of URLs.
Scan using my specified protocols - When this option is selected, Burp Scanner will scan the URLs using the protocols that you specify explicitly. For example, if you only include the URL
http://example.org, the URL
https://example.orgwould not be scanned. Any URLs for which no protocol is specified will still be scanned using both HTTP and HTTPS.
Note that even when you choose to scan a URL using both HTTP and HTTPS, if Burp identifies that the content is the same, it will only crawl and audit the location once.
Items to scan
This section is displayed for the "Audit selected items" scan type. The URLs of the selected items are listed. Note that the same URL will appear more than once if there are multiple requests to the same URL with different parameters.
If you have made a large selection of items to scan, it is often useful to consolidate the selected items to improve the efficiency of the scan. Clicking "Consolidate items" displays a wizard that lets you choose whether to remove items with various features:
- Duplicate items in the selection (those with matching URL and parameter names)
- Out-of-scope items (based on the current suite scope)
- Items with no parameters
- Items with specific file extensions
For each item, Burp shows the number of affected items. If any option would result in none or all of the items being removed, then this option will be unavailable.
The consolidation wizard then displays the full list of items that will be scanned. You can double-click any item in the list to view full request and response. You can manually remove any further items that you do not wish to scan.
The "Scan configuration" section of the scan launcher lets you select configurations to control how the scan is carried out.
You can select multiple configurations, and these will be applied in turn to determine the final configuration that is used for the scan. This allows you to apply a general configuration first (for example, your preferred general scan settings), followed by a more specific configuration (for example, some specific options that are useful for this particular application). If no configurations are selected, then Burp Scanner's default settings will be used.
You can create new configurations on the fly, or select existing configurations from your library, or import from a configuration file.
Application login options
Note: This section is not available when using the "Audit selected items" scan type because no crawling is performed.
The "Application login" section of the scan launcher lets you provide valid sets of credentials that Burp Scanner should submit when it encounters any login forms. This enables it to discover and audit content that is only accessible to authenticated users.
You can also save application logins to your configuration library. This allows you to reuse the same set of credentials for future scans.
The following options are available for providing application logins. Please note that you can only use one of these options per scan; if you enter sets of basic login credentials, but then select the "Use recorded logins" option instead, the login credentials that you entered will be ignored.
Use login credentials
For basic, single-step login functions, you can simply add a list of
username:password pairs that Burp Scanner should use. By default, the crawler will also attempt to self-register accounts and use these credentials in addition to any that you provide.
This works well for classic login forms with only 2 input fields. However, if the form contains additional fields and inputs, this may cause issues that prevent the crawler from logging in.
With this option selected, the crawler will also be unable to deal with more complex login processes involving single sign-on, for example. In this case, we recommend importing a recorded login sequence to ensure maximum coverage for your scan.
Use recorded login sequences
If the target website uses a more complex login process, you might need to help Burp Scanner understand how to perform the actions required to successfully log in. You can do this by importing a recorded login sequence.
Resource pool options
The "Resource pool" section of the scan launcher lets you specify the resource pool in which the scan will be run. Resource pools are used to manage the usage of system resources across multiple tasks. Each resource pool can be configured with different settings for the maximum number of concurrent requests, and throttling between requests.