Burp Suite, the leading toolkit for web application security testing

Initiating Scans

You can initiate scans against your target application in two different ways:

Manual Scanning

From anywhere within Burp, you can select one or more HTTP requests or URLs, and send these to the Scanner to perform scans. Some examples of using this technique are as follows:

Active Scanning Wizard

If you select multiple items and send these for active scanning, Burp launches a brief wizard that lets you fine-tune your selection. This enables you to quickly select large branches of the site map, which typically contain some items that you don't need to scan, and then remove the unnecessary items in the scan wizard.

The wizard lets you choose whether to remove items with various features:

For each item, Burp shows the number of affected items where this is known. If some items have not yet been requested, then Burp will need to request these before determining which of them have media responses. If any option would result in none or all of the items being removed, then this option will be unavailable.

The wizard then displays the full list of items that will be scanned. You can double-click any item in the list to view full request and response details. You can manually remove any further items that you do not wish to scan.

The wizard then completes and the selected items are sent for scanning in the usual way.

Live Scanning

Live scanning allows you to determine what gets scanned by stepping through the target application using your browser, via Burp Proxy. You can configure separate settings for live active scanning and live passive scanning.

Live Active Scanning

To perform live active scanning, carry out the following steps:

Note: Live active scanning ignores requests for media resources (images, etc.) where the request does not contain any non-cookie parameters. Requests like these are virtually always for static resources that do not have any security significance, and so can be safely ignored by the Scanner. (This does not apply to manual scanning - if you manually select send these items for active scanning, then they will of course be scanned in the normal way.)

Click here to read about all ways of initiating scans.

Live Passive Scanning

To perform live passive scanning, carry out the following steps:

Click here to read about all ways of initiating scans.

Support Center

Get help and join the community discussions at the Burp Suite Support Center.

Visit the Support Center ›

Monday, January 16, 2017


This release adds various enhancements and fixes:

  • There is a new command-line option to launch Burp with a specified user configuration file.
  • A bug that was recently introduced that prevented license activation in headless mode has been fixed.
  • The Content Discovery function now correctly handles applications that have wildcard behavior for file extensions (e.g. those that return a specific response for admin.xxx regardless of the file extension). This eliminates the only known false positives reported by the new Content Discovery engine.

See all release notes ›

Copyright © 2016 PortSwigger Ltd. All rights reserved.