Adding new sites
Last updated: January 24, 2023
Read time: 4 Minutes
In order to scan a website, you first need to add it to Burp Suite Enterprise Edition. Adding a site's details makes it possible to take full advantage of Burp Suite Enterprise Edition's analytics features, which enable you to track issues with your site over time. Most of Burp Suite Enterprise Edition's data and configuration options are managed on a per-site basis.
You can add as many sites as you need at no extra cost. Burp Suite Enterprise Edition licenses are based around the number of concurrent scans you can run, not the number of sites added to the system.
Your scanning machines must be able to access the sites you want to scan. For information on allowing access, see Configuring your environment network and firewall settings.
To add a site:
- Select Sites > Add a new site to display the Create a new site page.
- Enter a unique Site name.
- If required, select a Site folder. If you leave this field blank then the site is created at the top level of the site tree.
- Enter the highest-level URL that you want to include in scans of the site into the Site URL field. This is the seed URL from which Burp Scanner will start navigating through your site. No wildcards are permitted.
Optionally, select Additional / Excluded URLs and specify which URLs are in scanning scope for the site:
- To include additional URLs that are part of the same web application but not contained under the specified Site URL, enter the relevant addresses into Include URLs.
- To exclude URLs from scope, enter the relevant addresses into Exclude URLs.
- Select whether you want to Scan using HTTP & HTTPS or Scan using my specified protocols. If you select Scan using my specified protocols then you must specify a protocol at the start of the Site URL and the URLs in the Additional / Excluded URLs section.
Scroll down to Scan settings > Scan configuration and select a scan configuration for the site. You can either use a preset scan mode or a custom configuration:
- To use a preset scan mode, ensure that Use a preset scan mode is selected and choose one of the available options.
- To select a custom configuration, select Use a custom configuration and choose the configuration you want to add from the list. For information on creating custom configurations, see Using custom scan configurations.
- Select Save.
Burp Suite Enterprise Edition adds the new site to the site tree and prompts you to perform a pre-scan check.
If you want to run some test scans before you add your own sites, you can use
vulnerable-website.com. This is a demo website with a few intentional vulnerabilities.
Optional settings for your new site
When you add a new site, you can configure a number of settings:
You can add or exclude URLs from your site's scope. Under Site scope, select Additional / Excluded URLs:
- To include URLs that are part of the same web application but not contained under the Site URL, enter the addresses into Include URLs.
- To exclude URLs from the site scope, enter the addresses into Exclude URLs.
- You can scan using your own specified protocols, instead of HTTP and HTTPS. Under Site scope, select Scan using my specified protocols. Enter the protocol at the start of the Site URL and the URLs in the Additional / Excluded URLs section.
You can set a custom scan configuration:
- Under Scan settings, go to the Scan configuration tab.
- Under Scan configuration for this site, select Use a custom configuration.
- Choose the configuration you want to add from the configuration library. For more information, see Using custom scan configurations.
You can add login credentials for your website. This enables Burp Scanner to log in and scan the site as an authenticated user. Under Scan settings > Application logins, select Add usernames and passwords or Upload recorded login sequences. For more information about recorded logins, see Adding recorded login sequences.
We recommend keeping a consistent scan configuration for each site you add. Changing the scan configuration can affect vulnerability trends over time and cause Burp Suite Enterprise Edition to give inaccurate time estimates while scanning.
If you want to scan a site that you have already added with a new configuration, we recommend adding the site again with the new configuration selected.
- Managing scheduled scans - explains how to schedule scans for your new site.
- Defining scan configuration for a site - explains how to create and work with scan configurations.
- Configuring site settings - explains the optional scan settings you can configure for a site.
- Configuring your environment network and firewall settings.
- Importing sites in bulk - explains how to add multiple sites at once.
- Burp Scanner built-in configurations - reference information on Burp Scanner's built-in scan configurations.
- Adding recorded login sequences.
- Performing a pre-scan check.
Was this article helpful?
An error occurred, please try again.