Adding new sites

  • Last updated: May 17, 2022

  • Read time: 5 Minutes

Provided that you have the right role, you can add new sites and new folders to populate the site tree.

Adding individual sites

  1. To create a new site, go to Sites > Add a new site. Alternatively, you can select a folder and click New site to create a site within that folder, or import sites in bulk.
  2. Enter a name for the site to help you identify it later. Note that the site name must be unique within its parent folder.
  3. Choose whether to add the site to a specific folder. If a site with the same name already exists in a folder, this folder will be unavailable for selection. If you leave this field blank, the site will be created on the top level of the site tree.
  4. If you are using a standard deployment, select the scanning pool that the site should belong to. The site will only be scanned by scanning machines that belong to the same pool. The site will belong to the default pool unless you choose a different one. Note that Kubernetes deployments do not use scanning pools, as they are designed to work with auto-scaling scanning resources rather than "fixed" scanning machines. For further details on scanning pools, see Managing scanning pools.
  5. Under Site URL enter the highest-level URL that you want to include in the scans of this site. All subdirectories of this URL will be scanned by default. Note that if you want to scan a URL using both HTTP and HTTPS, you can omit the protocol from the start of the URL. No wildcards are permitted.
  6. If you want to add additional URLs that belong to this site, or want to exclude certain subdirectories from scans, you can do so from the Advanced options:
    • Under Include URLs, you can specify which additional URLs should be included in scans of this site. For example, you can add any relevant subdomains. To add multiple URLs, start each one with a new line.
    • You also use the Exclude URLs field to exclude URLs from the scope of any scans on this site. For example, if you have paths that contain sensitive information, you could exclude these from scans to prevent sensitive data from being leaked in the scan results.
  7. Under Protocol settings, you can manage whether both HTTP and HTTPS are used to scan the site's URLs. You can either choose to use both protocols or, if you prefer, you can select Scan using my specified protocols. If you select this option, you need to make sure that you have explicitly specified a protocol for each of the URLs. If you still want to use both protocols for a particular URL, you will need to create two entries for it: one beginning with http:// and the other beginning with https://.
  8. Under Application logins, you have the option to provide valid login credentials that Burp Scanner can use to access areas of the site that are restricted to registered users. In some cases, you may be able to just provide basic sets of login credentials. However, for more complex login mechanisms, you can record yourself performing the full login sequence using our dedicated browser extension and upload the generated script.
  9. If you want, set a default scan configuration that will be preselected for any new scans that you create for this site. You can override the default when you create an individual scan. Most of the configurations from Burp Suite Professional's library are included. Alternatively, you can upload a custom scan configuration in JSON format.
  10. If you want to use any extensions for scans of this site, you can add them here. Note that you can also add these later if you prefer.
  11. You can add email addresses of users that should receive reports whenever a scan of this site finishes. Note that this option is only supported if your administrator configured an SMTP server integration.
  12. Finally, you can select Slack channels to receive notifications regarding scans of this site. Note that this option is only supported if your administrator has configured a Slack integration.
  13. When you are done, click Save. This site is now available in the site tree and is ready to scan.

Importing sites in bulk

Instead of adding sites one by one, you can preconfigure and import multiple sites in bulk from a CSV file. To simplify this process, Burp Suite Enterprise Edition provides a premade CSV template for you to download. To import sites using this template:

  1. On the Sites page, click the Import sites button.
  2. In the Import sites dialog, click the Download CSV template link.
  3. Open the CSV file: sites-template.csv.
  4. Add sites to the CSV file as indicated in the placeholder text. Note that the first and second column (Site name and Included URLs) are mandatory. Leave other columns blank, if not required.
  5. Delete rows 1, 2, and 3 (containing placeholder text) from the CSV file.
  6. In the Import sites dialog, click Choose file, select your CSV, and click Continue. If you want to add the sites to a specific folder, you can also select this here. Note that you can only import sites to one folder at a time.
  7. Click Import. When the upload has finished, the Import results dialog appears, providing details of any errors. Any sites that were imported successfully will now be available in the site tree, ready to scan.

Alternatively, you can create your own CSV file from scratch. This should have no header row. Each row represents a site that you want to add to Burp Suite Enterprise Edition and can contain the following values:

  • A name for the site as you want it to appear in the web UI. This is mandatory and must be unique in the destination folder in Burp Suite Enterprise Edition.
  • The URLs you want to scan for this site. You must specify at least one URL. You can separate multiples with pipes "|".
  • The URLs you want to exclude for this site. You can separate multiples with pipes "|".
  • If you are using a standard deployment of Burp Suite Enterprise Edition, the name of the pool to which you want to add the site. If blank, the default pool is used.
  • The names of any default scan configurations that you want to use for this site.
  • Any email addresses that you want to receive automated scan reports for this site. You can separate multiples with colons ":".