PROFESSIONAL

Augmenting your manual testing with Burp Scanner

  • Last updated: August 25, 2022

  • Read time: 3 Minutes

If you're not regularly using Burp Scanner as part of your manual testing workflow, you're wasting far more time and effort than you realize. By taking advantage of a couple of lesser-known features, you can supplement your own expert knowledge and intuition with Burp Scanner's methodical approach to testing. Not only will this help you cover more ground, you'll be able to spend your time where it matters rather than on tedious preliminary work.

Scanning specific requests

When you come across an interesting function or behavior, your first instinct may be to send the relevant requests to Repeater or Intruder and investigate further. It's often beneficial to send the request to Burp Scanner too. It can get to work on the more repetitive aspects of testing while you put your skills to better use elsewhere.

Step 1: Open the lab

Go to Proxy > Intercept and launch Burp's browser. Use it to access the following lab:

https://portswigger.net/web-security/sql-injection/blind/lab-conditional-responses

This should open a deliberately vulnerable online store.

A deliberately vulnerable online store

Step 2: Find an interesting request

Visit one of the product pages.

In Burp, go to the Proxy > HTTP history tab. Observe that the resulting GET /product?productId=X request contains a query parameter and a couple of cookies, all of which are user controllable. This makes it a good place to start looking for input-based vulnerabilities.

Step 3: Launch a quick scan

Right-click on this request, either in the message editor panel or from the list of interactions, and select Do active scan.

Doing an active scan

Burp Scanner immediately begins running an audit-only scan using its default configuration.

Alternatively, if you want more control over how the request is scanned, right-click and select Scan. This way, the scan launcher opens, allowing you to adjust the configuration before the scan starts.

Scanning user-defined insertion points

You've already learned how to scan specific requests, but you can optimize this even further by only scanning with specific insertion points that you think might be of interest.

Step 1: Send the request to Intruder

Send the same GET request we used in the previous tutorial to Burp Intruder and go to the Intruder tab.

Step 2: Set the payload insertion points

As you can see, Burp Intruder has identified three potential insertion points already, and Burp Scanner uses even more than this by default.

Clear the default payload positions and set new ones for the productId and TrackingID only.

Setting payload positions

Step 3: Launch the scan

Right-click on the request and select Scan defined insertion points.

Scanning defined insertion points

From here, you can launch a scan that will only place payloads in the two positions you've explicitly defined. This can massively reduce the number of requests made by Burp Scanner.

Step 4: View the results

This approach can yield results incredibly quickly, giving you something to work with in just a couple of seconds. From the Dashboard tab, notice that the scan is already finished and has found a SQL injection vulnerability.

Summary

You've now learned how to use Burp Scanner during manual testing.

In addition to what you've learned so far, here are a few extra tips:

  • You'll often want to scan using just a single parameter. You can do this even quicker by installing the Scan manual insertion point extension from the BApp store.
  • Manually defining insertion points also lets you scan using inputs that Burp Scanner would normally ignore, such as custom header values.
  • You can also use this technique to scan non-standard data structures, which Burp Scanner may not be able to parse correctly.

Was this article helpful?