Get involved in the Burp challenge for opportunities to test your skills and win swag  –   Challenge me

ENTERPRISE

Scan configurations

  • Last updated: November 11, 2022

  • Read time: 3 Minutes

Scan configurations define how a scan is performed. For example, a scan configuration can specify the maximum link depth of the crawl, or what types of issues to report.

There are two ways of configuring scans for a site in Burp Suite Enterprise Edition:

  • Preset Scan modes are predefined collections of scan settings. They offer a quick way to adjust how the scan balances speed and coverage.
  • Custom configurations enable you to fine-tune Burp Scanner's behaviour to meet your needs.

Custom configurations are stored in the configuration library, which includes some built-in configurations to get you started.

You can use custom configurations in several ways:

In addition, you can combine any of these configurations together. This enables you to create modular scans. For example:

  • You create a base scan configuration "module".
  • You then create a configuration that sets a shorter crawl limit.
  • You combine the two configurations to create a new scan that has a different balance between speed and coverage.

You can select a custom scan configuration when you add a new site. To see more details about a scan configuration, click .

Custom scan configuration options

You can use the following options to configure your scan:

Crawling

Use the crawling options to define how Burp Scanner behaves when it maps out website content and identifies navigational paths within the scanned site. Virtually all of these settings are identical in both Burp Suite Professional and Burp Suite Enterprise Edition.

Related pages

Auditing

Use the auditing options to define how Burp Scanner analyzes website traffic and behavior. You can also use these settings to determine which checks should be performed during a particular scan. Virtually all of the settings are identical in both Burp Suite Professional and Burp Suite Enterprise Edition.

Connections

Connection options enable you to configure how Burp Scanner handles platform authentication on the destination server. You can configure whether the system uses any upstream proxy servers when sending requests. You can also upload client TLS certificates to enable inbound traffic from hosts.

Request throttling

Throttling requests can help to reduce the chance of scans overloading either your system resources or the target site. To configure how many concurrent requests Burp Scanner can make, use request throttling You can also set an interval between sending requests.

Embedded browser

The embedded browser section enables you to select whether the embedded browser is able to use the GPU during browser-powered scanning. In certain environments, the embedded browser may crash after attempting to use a GPU where none exists.

Modular scan configurations

You can specify multiple configurations for a single site. Burp Scanner applies any selected configurations in order, enabling you to modularize scanning behaviour.

When you select multiple configurations, they're applied in the order that they're "stacked". This means that any options specified for a particular setting take precedence over equivalent settings for configurations higher in the list.

Config name Max crawl time Max locations Max request count
Config 1 150 1500 0
Config 2 100 - 50
Config 3 200 - -
Settings used 200 1500 50

This example shows three selected configurations, which combine with each other when the site is scanned. Notice how using the configurations in this modular way allows you to change the crawl count and request count of your base configuration, without having to specify an entirely new scan configuration.

Note

For simplicity, the above example focuses on the settings in the Crawling > Crawl Limits section of the scan configuration setup. However, the principle applies to all the configuration settings.

To see more details about a scan configuration, click . Only sections that contain specified settings are expanded. If a section is collapsed, the configuration does not specify a value for that particular setting.

Was this article helpful?