Provided that you have the right role, you can create new sites and new folders to populate the site tree.
- To create a new site, go to "Sites" > "Add a new site". Alternatively, you can select a folder and click "New site" to create a site within that folder.
- Enter a name for the site to help you identify it later. Note that the site name must be unique within its parent folder.
- Choose whether to add the site to a specific folder. If a site with the same name already exists in a folder, this folder will be unavailable for selection. If you leave this field blank, the site will be created on the top level of the site tree.
- Under "Site URL" enter the highest-level URL that you want to include in the scans of this site. All subdirectories of this URL will be scanned by default. Note that if you want to scan a URL using both HTTP and HTTPS, you can omit the protocol from the start of the URL. No wildcards are permitted.
If you want to add additional URLs that belong to this site, or want to exclude certain subdirectories from scans, you can do so from the "Advanced options":
- Under "Include URLs", you can specify which additional URLs should be included in scans of this site. For example, you can add any relevant subdomains. To add multiple URLs, start each one with a new line.
- You also use the "Exclude URLs" field to exclude URLs from the scope of any scans on this site. For example, if you have paths that contain sensitive information, you could exclude these from scans to prevent sensitive data from being leaked in the scan results.
Under "Protocol settings", you can manage whether both HTTP and HTTPS are used to scan the site's URLs. You can either choose to use both protocols or, if you prefer, you can select "Scan using my specified protocols". If you select this option, you need to make sure that you have explicitly specified a protocol for each of the URLs. If you still want to use both protocols for a particular URL, you will need to create two entries for it: one beginning with
http://and the other beginning with
- Under "Application logins", you have the option to provide valid login credentials that Burp Scanner can use to access areas of the site that are restricted to registered users. In some cases, you may be able to just provide basic sets of login credentials. However, for more complex login mechanisms, you can record yourself performing the full login sequence using our dedicated browser extension and upload the generated script.
- If you want, set a default scan configuration that will be preselected for any new scans that you create for this site. You can override the default when you create an individual scan. Most of the configurations from Burp Suite Professional's library are included. Alternatively, you can upload a custom scan configuration in JSON format.
- Finally, you can add email addresses of users that should receive reports whenever a scan of this site finished. Note that this option is only supported if your administrator configured an SMTP server integration.
- When you are done, click "Save". This site is now available in the site tree and is ready to scan.