1. Support Center
  2. Documentation
  3. Enterprise Edition
  4. Working with Burp Suite Enterprise Edition
  5. Working with scans
  6. Browser-powered scans

Browser-powered scanning for Burp Suite Enterprise Edition

Browser-powered scanning is an invaluable feature that unleashes the full capability of Burp Scanner. When browser-powered scanning is enabled, Burp Scanner uses an embedded browser to perform all navigation during both the crawl and audit phase of a scan. Navigating the target in this way enables it to accurately handle virtually any client-side technology that a modern browser can. This has the potential to offer dramatically increased coverage compared to the previous crawler engine.

Browser-powered scanning is almost a necessity in order to perform truly comprehensive automated testing on many modern websites. For example, some websites have a navigational UI that is dynamically generated using JavaScript, which means that it is not present in the raw HTML. In this case, the previous crawler engine would be unable to render the full content and might miss key vulnerabilities as a result. However, when crawling using the embedded browser, Burp Scanner is able to load the page, execute any scripts required to build the UI, and then continue crawling as normal.

Browser-powered scans can also handle cases where the website modifies requests on-the-fly using JavaScript event handlers. By using the embedded browser, Burp Scanner is able to trigger the relevant events and execute the corresponding script, modifying any requests as needed.

Enabling browser-powered scanning also allows you to take advantage of some new features that rely on the embedded browser to work. Most notably, you can record and upload full login sequences so that Burp Scanner is able to successfully handle more complex login mechanisms, including single sign-on.

How to enable browser-powered scanning for Burp Suite Enterprise Edition

Many users won't need to do anything to enable browser-powered scanning. When using the the default scan configuration, Burp Scanner will automatically check your machine's specs. If it appears to meet the system requirements, all scans will use the embedded browser by default. Otherwise, scans will revert to the previous crawler engine.

If you prefer, you can also manually enable or disable browser-powered scanning in your scan configuration. You can find this option under "Crawling" > "Miscellaneous" > "Use embedded browser for crawl and audit".