You can launch scans via the "New scan" button on the Burp Dashboard or the "Scan" option on the context menu that appears throughout Burp. Using one of these methods will display the scan launcher, which lets you configure various details of the scan.
The "Scan details" section of the scan launcher lets you select the scan type, and the details of what will be scanned.
The following scan types can be selected:
- Crawl and audit - This will perform a crawl from one or more starting URLs, and then audit the discovered content for vulnerabilities.
- Crawl - This will perform a crawl from one or more starting URLs.
- Audit selected items - This option is only available when the launcher was initiated by selecting one or more requests/responses within Burp, and choosing the "Scan" option on the context menu.
Depending on the scan type that is selected, the scan launcher will show options for the scope of the scan or the individual items to be scanned.
URLs to scan
This section is displayed for "Crawl and audit" and "Crawl" scan types. You can configure one or more URLs from which Burp will perform the crawl. These URLs will be the starting point of the crawl, and Burp will follow links from there into the application.
By default, the scope of the crawl will be restricted to the configured URLs truncated to the final folder (if any). For example, if you specify a start URL of
https://example.org/myapp/welcome.php then the crawler will begin at this URL, and will crawl content within the path
https://example.org/myapp/. Note that Burp identifies the final folder based on the final slash (
/) in the URL. Therefore, it is important to include the closing slash when entering a URL that ends with a folder. Otherwise, if you enter
https://example.org/myapp/myfolder, for example, all content within the path
https://example.org/myapp/ will be considered in-scope.
You can override the default behavior and provide a different scope configuration by opening the "Detailed scope configuration" toggle. This lets you define the scope of the crawl using either URL prefixes or advanced matching rules, as for Burp's Target scope. Note that you still need to specify the URLs to scan, since these are the starting points for the crawl, and the URLs to scan must fall within the defined scope.
Note that specifying the protocol for each URL is optional. If you want to scan a URL using both HTTP and HTTPS, you can simply enter
You have the following options to control which protocol is used to scan your URLs:
- Scan using HTTP & HTTPS - When this option is selected, all of your URLs will be scanned using both HTTP and HTTPS, regardless of whether you explicitly specified a protocol in the list of URLs.
Scan using my specified protocols - When this option is selected, Burp Scanner will scan the URLs using the protocols that you specify explicitly. For example, if you only include the URL
http://example.org, the URL
https://example.orgwould not be scanned. Any URLs for which no protocol is specified will still be scanned using both HTTP and HTTPS.
Note that even when you choose to scan a URL using both HTTP and HTTPS, if Burp identifies that the content is the same, it will only crawl and audit the location once.
Items to scan
This section is displayed for the "Audit selected items" scan type. The URLs of the selected items are listed. Note that the same URL will appear more than once if there are multiple requests to the same URL with different parameters.
If you have made a large selection of items to scan, it is often useful to consolidate the selected items to improve the efficiency of the scan. Clicking "Consolidate items" displays a wizard that lets you choose whether to remove items with various features:
- Duplicate items in the selection (those with matching URL and parameter names)
- Out-of-scope items (based on the current suite scope)
- Items with no parameters
- Items with specific file extensions
For each item, Burp shows the number of affected items. If any option would result in none or all of the items being removed, then this option will be unavailable.
The consolidation wizard then displays the full list of items that will be scanned. You can double-click any item in the list to view full request and response. You can manually remove any further items that you do not wish to scan.
The "Scan configuration" section of the scan launcher lets you select configurations to control how the scan is carried out.
You can select multiple configurations, and these will be applied in turn to determine the final configuration that is used for the scan. This allows you to apply a general configuration first (for example, your preferred general scan settings), followed by a more specific configuration (for example, some specific options that are useful for this particular application). If no configurations are selected, then Burp Scanner's default settings will be used.
You can create new configurations on the fly, or select existing configurations from your library, or import from a configuration file.
Application login options
The "Application login" section of the scan launcher lets you specify account credentials that should be submitted to any login functions. The crawler will use these to discover authenticated content behind login functions. The crawler will also attempt to self-register accounts, and use these credentials in addition to those provided.
This section is not available when "Audit selected items" is selected as the scan type, because no crawling is performed.
Resource pool options
The "Resource pool" section of the scan launcher lets you specify the resource pool in which the scan will be run. Resource pools are used to manage the usage of system resources across multiple tasks. Each resource pool can be configured with different settings for the maximum number of concurrent requests, and throttling between requests.