You can initiate scans against your target application in two different ways:
- Manual scanning - This involves selecting HTTP requests or URLs anywhere within Burp, and using the context menu to initiate a scan.
- Live scanning as you browse - You can configure the Scanner to automatically perform scans against requests passing through the Proxy as you are browsing the application.
From anywhere within Burp, you can select one or more HTTP requests or URLs, and send these to the Scanner to perform scans. Some examples of using this technique are as follows:
- When you are exploring an application and manually intercepting requests through the Proxy, any time you see a request with interesting parameters, you can send it for scanning using the context menu.
- When you have mapped out an application's content and functionality, you can select the application host in the target site map, and initiate a scan against the whole application using the context menu.
- Instead, if you want to scan only selected parts of the application, you could select only certain branches in the site map, and use the context menu to scan just those items. Alternatively, you could define your target scope to include only specific directories and URLs, and select the "Remove out-of-scope items" in the active scanning wizard.
- When you are manually probing an individual request for vulnerabilities in Burp Repeater, you can use the context menu to fire off an active scan against just that request. The active scan will check for the full range of input-based vulnerabilities, leaving you to focus on the types of vulnerabilities that only a human can detect.
- When reviewing the results of an Intruder fuzzing attack, you might spot an unusual response that was triggered by changing one of the parameters in the base request, indicating that you have hit a new code path in the application. You can then send that result item for active scanning, so that the other request parameters are tested alongside the modified parameter value. This technique can often find difficult bugs that elude most scanners; for example, a cross-site scripting or SQL injection vulnerability in one parameter, that depends on another parameter also having a modified value.
Active Scanning Wizard
If you select multiple items and send these for active scanning, Burp launches a brief wizard that lets you fine-tune your selection. This enables you to quickly select large branches of the site map, which typically contain some items that you don't need to scan, and then remove the unnecessary items in the scan wizard.
The wizard lets you choose whether to remove items with various features:
- Duplicate items in the selection (those with matching URL and parameter names)
- Items that have already been scanned
- Out-of-scope items
- Items with no parameters
- Items with media (non-text) responses
- Items with specific file extensions
For each item, Burp shows the number of affected items where this is known. If some items have not yet been requested, then Burp will need to request these before determining which of them have media responses. If any option would result in none or all of the items being removed, then this option will be unavailable.
The wizard then displays the full list of items that will be scanned. You can double-click any item in the list to view full request and response details. You can manually remove any further items that you do not wish to scan.
The wizard then completes and the selected items are sent for scanning in the usual way.
Live scanning allows you to determine what gets scanned by stepping through the target application using your browser, via Burp Proxy. You can configure separate settings for live active scanning and live passive scanning.
Live Active Scanning
To perform live active scanning, carry out the following steps:
- Configure the live active scanning settings with the details of the targets you want to actively scan. If you have already configured a suite-wide target scope for your current work, then you can simply tell Burp to actively scan every request that falls within that scope. Alternatively, you can define a custom scope using URL matching rules.
- Browse around the application in the usual way via Burp Proxy. This will effectively show Burp which application functions you want to scan. For each unique in-scope request that you make via your browser, Burp will queue the request for active scanning, and will work away in the background to find vulnerabilities for you.
Note: Live active scanning ignores requests for media resources (images, etc.) where the request does not contain any non-cookie parameters. Requests like these are virtually always for static resources that do not have any security significance, and so can be safely ignored by the Scanner. (This does not apply to manual scanning - if you manually select send these items for active scanning, then they will of course be scanned in the normal way.)
Click here to read about all ways of initiating scans.
Live Passive Scanning
To perform live passive scanning, carry out the following steps:
- Configure the live passive scanning settings with the details of the targets you want to passively scan. By default, Burp performs passive scanning of all requests, but you can restrict this to the suite-wide target scope, or a custom scope using URL matching rules.
- Browse around the application in the usual way via Burp Proxy. This will effectively show Burp which application functions you want to scan.
Click here to read about all ways of initiating scans.