Scan configurations can be used to control numerous details of how a scan is performed, such as the maximum link depth of the crawl, or what types of issues to report. If no configuration is specified when setting up a scan, then Burp Scanner will use its default configuration, which is suitable for typical websites.
You can specify multiple configurations for a single scan, and these will be applied sequentially in the same way as when launching scans using Burp Suite Professional. Each configuration can define settings in one or more specific areas. Applying configurations sequentially allows you to specify a general configuration followed by more specific configurations. When these are applied, they will be combined to determine the full configuration that is actually used.
When selecting scan configurations, you can:
- Choose from various built-in configurations that are useful for common purposes. For example, performing a fast crawl, or an audit only for critical vulnerabilities. Most of the scan configurations from Burp Suite Professional's library are available.
- Import custom configurations. These use the same JSON format that Burp Suite Professional uses for its configuration files. To create a custom configuration, use the configuration library function in Burp Suite Professional to create the configuration that you want. Export the configuration to a file and then load it into Burp Suite Enterprise Edition as a custom scan configuration. Alternatively, you could manually create a scan configuration in JSON and import it.
Notice that if you hover over the configuration, you can click an icon shaped like an eye to see details about which settings this configuration changes. Collapsed sections contain settings that are unchanged from the standard configuration, whereas expanded sections indicate that this configuration makes changes to settings in this section. For "Crawl strategy - fastest", you can see that the "Crawl optimization" section is expanded because the "Crawl strategy" is set to "Fastest". If you select a custom scan configuration, only the raw JSON content will be shown.