Getting Started With Burp Scanner
Burp Scanner is a tool for performing automated vulnerability scans of web applications. You can use Burp Scanner alongside your manual testing methodology to quickly identify many types of common vulnerabilities, leaving you to focus on issues that require human intelligence and ingenuity to discover.
Burp Scanner is designed to fit into Burp's user-driven workflow, and the help documentation explains in detail how the Scanner works and how you can use it effectively to support your testing. However, if you are not intending to use Burp in this way, and just want to carry out a quick and easy scan of your application, please refer to Using Burp as a Point-and-Click Scanner, but this type of usage is not recommended.
Note: Using Burp Scanner may result in unexpected effects in some applications. Until you are fully familiar with its functionality and settings, you should only use Burp Scanner against non-production systems.
To start getting to know Burp Scanner, carry out the following steps:
- First, ensure that Burp is installed and running, and that you have configured your browser to work with Burp.
- If you have not done so already, browse around some of your target application, to populate Burp's Target site map with details of the application's contents and functionality. Before doing so, to speed things up, go to the Proxy tab, then the Intercept sub-tab, and turn off Proxy interception (if the button says "Intercept is on" then click it to toggle the interception status to off).
- As you browse, by default Burp Scanner performs passive scanning of all requests and responses passing through the Proxy. Passive scanning involves analyzing these HTTP messages for evidence of certain types of vulnerabilities, and does not send any additional requests to the server. Go to the Target tab, and the Site map sub-tab, and the Issues view, and review any passive issues that Burp has reported for the applications you have visited.
- To find many other types of vulnerabilities, Burp performs active scanning, and this does involve sending additional requests to the application to probe for vulnerabilities. You should only perform active scanning against systems that you are authorized to test in this way. Only proceed to the following steps if you have a suitable target application that you are authorized to scan.
- Go to the Proxy history, and find an interesting-looking request to your target application, containing a number of parameters. Select this single request, and choose "Do an active scan" from the context menu. Unless you have already configured your target scope, Burp will prompt you to confirm. Assuming the request is one you are willing to scan, click "Yes".
- Go to the Scanner tab, and the Scan queue sub-tab. The item you sent for scanning now appears in the scan queue, showing key details about the item, and Burp's progress in scanning it. You can double-click the item to view any issues that Burp has identified, and also review the base request and response (this is the original request that you sent to be scanned, and its associated response). Any issues identified will also be consolidated and added to the main Issues view in the Target site map.
- Go to the Target site map, and in the tree view select a small branch that you are willing to scan, containing more than one URL. Select "Actively scan this branch" from the context menu. Burp will show a wizard that lets you fine-tune your selection, by removing specific items or all items with certain characteristics. For the moment, click through the wizard. Again, if the items are out of scope, Burp may ask you to confirm the action.
- Go back to the Scan queue tab, and note that all of the items you selected have been added to the queue and are in the process of being scanned. Depending on the number of items and their characteristics, this scanning may take a while.
- If you have not already done so, define the target scope for the application you are testing. The simplest way to do this is to select the branch of the site map that contains the application, and choose "Add to scope" from the context menu. Do this with caution, because items added to the scope will be automatically scanned in later steps of this help.
- Go to the Scanner tab, and the Live scanning sub-tab. In the "Live Active Scanning" section, select "Use suite scope". This configuration will cause the Scanner to automatically perform active scanning of in-scope requests that pass through Burp Proxy as you browse.
- Go to your browser, and continue browsing the application, making a few more requests. Go back to the Scan queue tab, and observe that additional items are added to the queue as you browse. You can use this feature to perform automatic scanning of specific application functions, by using your browser to guide Burp as to what should be scanned.
- Go to the Target tab, and the Site map sub-tab, and find the Issues view. Browse around the results that have been generated so far. You can select parts of the tree view to see only the issues for the selected branches, or you can select the whole tree to see all issues. Note that in the list view, issues of the same type may be consolidated into a single entry, and you can expand this entry to see all instances of the issue. Select a specific instance of an issue, and look at the advisory for that issue. This contains details of the vulnerability and its remediation (where relevant) and is fully customized with details of the behavior that was observed in the target application. You can also review the request and response upon which each reported issue was based, with particular parts of these HTTP messages highlighted where relevant.
- View the request that is reported for an individual issue, and open the context menu. Choose "Send to Repeater", and go to the Repeater tab. You will see the selected request has been copied into the Repeater tool, for further testing. For more details on sending items between Burp tools, and the overall testing workflow, see Using Burp Suite.
- Go back to the Issues view in the Target site map. Burp automatically assigns each scan issue a rating for severity and confidence. The severity rating reflects the impact that this type of issue typically has. The confidence rating reflects how confident Burp is that the reported issue is genuine, based on the technique Burp used to detect the issue and the strength of the observed evidence. You can use the context menu on selected issues to manually reassign the severity and confidence ratings, or to flag issues as false positives.
- In the Target site map, select the host for your target application, and choose "Report selected issues" from the context menu. This opens a reporting wizard that lets you configure various aspects of the report. Complete the reporting wizard and view the saved report.
Use the links below for further help on starting to use Burp Scanner: