Provided that you have the right role, you can create new sites and new folders to populate the site tree.
- To create a new site, go to "Sites" > "Add a new site". Alternatively, you can select a folder and click "New site" to create a site within that folder.
- Enter a name for the site to help you identify it later. Note that the site name must be unique within its parent folder.
- You can choose whether to add the site to a specific folder. If you leave this blank, the site will be created on the top level of the site tree. If a site with the same name already exists in a folder, this folder will be unavailable for selection.
- Under "Site URL" enter the highest-level URL that you want to include in the scans of this site. All subdirectories of this URL will be scanned by default. Note that if you want to scan a URL using both HTTP and HTTPS, you can omit the protocol from the start of the URL. No wildcards are permitted.
If you want to add additional URLs that belong to this site, or want to exclude certain subdirectories from scans, you can do so from the "Advanced options":
- Under "Include URLs", you can specify which additional URLs should be included in scans of this site. For example, you can add any subdomains that also belong to this site. To add multiple URLs, start each one with a new line.
- You also use the "Exclude URLs" field to exclude URLs from the scope of any scans on this site. For example, if you have paths that contain sensitive information, you could exclude these from scans to prevent sensitive data from being leaked in the scan results.
Under "Protocol settings", you can centrally manage whether both HTTP and HTTPS are used to scan the site's URLs. You can either choose to use both protocols or, if you prefer, you can select "Scan using my specified protocols". If you select this option, you need to make sure that you have explicitly specified a protocol for each of the URLs. Note that if you want to use both protocols for a particular URL, you will need to create two entries for it, one beginning with
http://and the other beginning with
- Under "Application/user logins", you can provide any login credentials that are relevant for the site. This enables Burp Scanner to access areas of the site that are restricted to registered users.
- You can select default scan configurations that will always be pre-selected for any new scans that you create for this site. You can override the default when you create an individual scan. Most of the configurations from Burp Suite Professional's library are included and you can also choose to upload a custom scan in JSON format.
- Finally, you can add email addresses of users that should receive reports whenever a scan of this site finished. Note that this option is only supported if your administrator configured an SMTP server integration.
- When you are done, click "Save". This site is now available in the site tree and is ready to scan.