You can click on any site to view more details. Within a site, the following tabs are available.
The site-level dashboard shows various metrics specific to the site. For example, you can see the current status of scans for the selected site, as well as trend charts for the most recent scans so you can keep track of how your security posture is improving over time.
The "New and resolved issues over time" chart shows the number of issues that are new, resolved, and regressed as compared to the previous scan. This enables you to monitor your progress over time.
You can hover over different areas of the charts to get more information. Clicking on some of them allows you to drill down into the results. For example, clicking on an issue severity in the "Current issues" chart opens the "Issues" tab, filtered based on the selected severity. To download charts in
PNG format, click the three vertical dots in the upper-right corner of the chart.
The "Scans" tab shows a list of scans that have been performed on the site. This includes key information, such as the current status of each scan and how many issues were found by this scan for each severity level. You can click into each scan to open the scan details.
The "Issues" tab shows all issues from the latest scan of the site. Issues are grouped by their type. The number next to each issue indicates the number of instances of this issue type that were found. You can expand any issue type to see the individual URLs where this issue type was found.
Clicking the URL opens the issue details page, which provides an issue description, remediation advice, as well as the HTTP request and response where the issue was found. You can also mark the issue as a false positive.
You can download the issues list as a
CSV file in order to continue analyzing the data in another application, for example.
The "Details" tab lets you view and edit the site's configuration, such as which folder it belongs to, which URLs are included, and so on.
When you create a site, you have to specify at least one URL that should be included in any scans. This is the URL from which the scan will start crawling. By default, all subdirectories of this URL are treated as being in-scope for scans of this site. For example, if you include the URL
example.com/my-application, this scan would also include URLs such as:
You can add multiple URLs to a site by starting a new line for each URL.
You might have certain paths that you don't want to be included in scans, for example, if they contain sensitive user data that you don't want to appear in scan results. When creating or editing a site, you can simply add these URLs to the "Excluded" list. To use our previous example, although you might want to scan
example.com/my-application, you might want to exclude
Specifying the protocol of a URL is optional. If you omit the protocol, as we did in the examples above, Burp Suite Enterprise Edition applies this setting to both HTTP and HTTPS.
Note that no wildcards are permitted in site URLs.