ENTERPRISE

3. Run your first scan

  • Last updated: September 9, 2021

  • Read time: 2 Minutes

In Burp Suite Enterprise Edition, you create "sites" to represent any websites or web applications that you want to scan. An onboarding wizard helps you to add your first site and then run a scan on it. We've provided a live, deliberately vulnerable website for you to scan so that you can follow along with this tutorial.

Step 1: Skip the web server setup

The first step of the onboarding wizard prompts you to configure the web server. You can come back to this later. Just click Skip for now.

Skipping the web server setup

Step 2: Add your first site

You're prompted to add your first site. Start by giving it a name. This can be anything you like, but let's go with PortSwigger Labs for this example.

Adding a new site

The Site URL is the URL from which all scans of this site will start. Any sub-paths of the URL are included in the scope of the scan by default. Enter portswigger-labs.net. This is a demo website with a few intentional vulnerabilities.

Note

Using Burp Scanner may have unexpected effects on some applications. Until you are fully familiar with its functionality and settings, you should only run scans against non-production systems. Do not run scans against third-party websites unless you have been authorized to do so by the owner.

Leave all the other options as their defaults and click Next: Create a scan.

Step 3: Schedule a scan

You're now presented with various options for scheduling and configuring a scan of the site. Leave all of the options as their defaults and click Finish. This will schedule a one-off scan to run immediately.

Step 4: Monitor the scan's progress

To monitor the scan's progress, select Scans from the main navigation bar at the top of the screen. You can then see your scan and some basic information about it, including the current status. While the scan is being initialized, this will say Waiting for agent.

A minute or two after the scan begins running, color-coded icons appear in the Issues column. These indicate the number of security issues found by the scan for different severity levels.

Monitoring the scan's progress

Step 5: View more details

You can click on the individual scan to view more details about it. On the Issues tab, you can monitor which issues are discovered in real time. We'll look closer at this tab in the next tutorial once the scan has finished. This should only take about five minutes.

Next step - Analyze the results of your scan

In this tutorial

  1. On-premise deployment
  2. Run your first scan
  3. Analyze scan results