Last updated: October 26, 2021
Read time: 3 Minutes
Scan configurations can be used to control various details of how a scan is performed, such as the maximum link depth of the crawl, or what types of issues to report. If no configuration is specified when setting up a scan, then Burp Scanner will use its default configuration, which is suitable for typical websites.
You can specify multiple configurations for a single scan, and these will be applied sequentially in the same way as when launching scans using Burp Suite Professional. Each configuration can define settings in one or more specific areas. Applying configurations sequentially allows you to specify a general configuration followed by more specific configurations. When these are applied, they will be combined to determine the full configuration that is actually used.
When selecting scan configurations, you can:
- Choose from various built-in configurations that are useful for common purposes. For example, performing a fast crawl, or an audit only for critical vulnerabilities. Most of the scan configurations from Burp Suite Professional's library are available.
- Import custom configurations. These use the same JSON format that Burp Suite Professional uses for its configuration files. This means you can export your favorite configurations from Burp Suite Professional to use them in Burp Suite Enterprise Edition.
Notice that if you hover over the configuration, you can click an icon shaped like an eye to see details about which settings this configuration changes. Collapsed sections contain settings that are unchanged from the standard configuration, whereas expanded sections indicate that this configuration makes changes to settings in this section. For "Crawl strategy - fastest", you can see that the "Crawl optimization" section is expanded because the "Crawl strategy" is set to "Fastest". Note that if you select a custom scan configuration that was imported as a JSON file, only the raw JSON content will be shown.
Creating custom scan configurations in Burp Suite Enterprise Edition
Creating custom scan configurations enables you fine-tune Burp Scanner's behavior to suit a particular target site or different use cases.
To create a custom scan configuration in Burp Suite Enterprise Edition:
- From the settings menu, select "Scan configurations".
- In the upper-right corner of the screen, click the "New configuration" button.
- Enter a suitable name for the scan configuration to help you identify it later. This is the name that will appear in the list of configurations that you can choose from when scheduling a scan.
- Initially, all of the settings will be identical to Burp Scanner's default configuration. Expand each section and make any changes you want to the individual settings. For more details about the individual settings, please see the sections below.
- When you're happy with your changes, click "Save". When you create a new site or schedule a scan, your new configuration will be available for selection.
The crawl options enable you to fine-tune Burp Scanner's behavior when it's mapping out the website's content and identifying navigational paths within it. For more details about each of the available options, please refer to the "Crawl options" section of the main Burp Scanner documentation. Virtually all of the settings are identical in both Burp Suite Professional and Burp Suite Enterprise Edition.
The audit options enable you to fine-tune Burp Scanner's approach when analyzing the website's traffic and behavior to identify security vulnerabilities and other issues. You can also use these settings to determine which checks are performed. For more details about each of the available options, please refer to the "Audit options" section of the main Burp Scanner documentation. Virtually all of the settings are identical in both Burp Suite Professional and Burp Suite Enterprise Edition.
The connection options let you configure how Burp Scanner should handle platform authentication on the destination server and whether it should use any upstream proxy servers when sending requests. You can also upload client TLS certificates that it can use when a destination host requests one.
You can use the request throttling settings to control how many requests Burp Scanner makes and how often. This can help you reduce the chance of multiple concurrent scans overloading your system resources or the target site.
You can control how many requests the scan will issue simultaneously and set an interval that Burp Scanner should wait for between issuing requests.