Using Burp As a Point-and-Click Scanner
Note: Like any other vulnerability scanner, using Burp may result in unexpected effects in some applications. Until you are fully familiar with its functionality and settings, you should only use Burp against non-production systems.
This help section describes how to use Burp as a conventional point-and-click web scanner. In this usage, Burp's actions are entirely automated without any user guidance. This is the model used by other web scanners, and it is subject to significant limitations. Fully automated crawling of today's applications is problematic due to rapidly changing client-side technologies and frameworks, highly stateful application functionality, and complex session handling mechanisms. Fully automated scanning of the crawled attack surface is similarly impaired by the failure to take account of application state and session handling while the scanning is under way. Very often, both crawling and scanning fail to work properly, in ways that are not readily apparent to the user of the automated scanner. Further, of course, there are many categories of critical bugs that can only be found through human understanding and experience. For these reasons, fully automated testing by any scanner will provide incomplete coverage. This shortcoming in conventional scanners is a key reason why Burp Scanner was designed to fit neatly into a user-driven testing workflow, with fine-grained human control over its actions, and real-time feedback about its performance. Nonetheless, if you want to use Burp as a point-and-click scanner, you can do so with the steps described below.
- First, ensure that Burp is installed and running. If you have already done any work using the current instance of Burp, then close it down and start a clean instance.
- Go to the Burp menu and choose "Restore defaults" for all options.
- Go the Spider tab, and then the Options sub-tab, and scroll down to the "Application login" section. If the application you are scanning uses authentication, and you have login details for the application, then select "Automatically submit these credentials", and enter your username and password in the boxes. If you do not have any login details, then select "Handle as ordinary forms".
Have you already
to work with Burp?
- If Yes, then carry out these steps: Go to the Proxy tab, then the Intercept sub-tab, and turn off Proxy interception (if the button says "Intercept is on" then click it to toggle the interception status to off). Then go to your browser, and visit the start URL for the application you are scanning.
- If No, and you are not comfortable changing your browser settings, then carry out these steps: Copy to the clipboard the start URL for the application you are scanning. Then go to the Repeater tab, right-click on the request panel to open the context menu, and select "Paste URL as request". Then open the same context menu again, and select "Add to site map".
- If the application uses both HTTP and HTTPS (which is generally the case), then repeat step 4 using both protocols in the URL.
- In Burp, go to the Target tab, and the Site map sub-tab. You should see one or more entries showing domain names. Select the domain name for your target application, right-click to open the context menu, and select "Expand branch". This will expand the tree showing the structure of the website that Burp has been able to discover from step 4.
- Within the expanded tree, select the location of the application, based on the URL you used in step 4. In many cases, this will be the top-level domain itself (e.g. http://example.org) and in other cases will be a folder beneath the domain name (e.g. http://example.org/banking/app). Select the relevant location, right-click to open the context menu, and choose "Spider this host / branch". Burp may then prompt to say that the selected item is outside the current spidering scope, and ask whether you would like to modify the scope to include the items. Click "Yes".
- If the application uses both HTTP and HTTPS, then repeat steps 6 and 7 for both protocols.
- Go to the Spider tab, and the Control sub-tab. The "Spider status" section shows Burp's progress as it crawls the application's content and functionality. Wait until the "Requests queued" and "Forms queued" both show zero items remaining. For large or slow applications, this may take some time.
- When the spidering is completed, go back to the Target tab, and the Site map sub-tab. The site map may now contain considerably more content, which has been discovered by the spidering process. Select again the location of the application (as per step 7), right-click to open the context menu, and choose "Actively scan this host / branch". Burp will then open a wizard. On the first screen of the wizard, if the box "Remove out-of-scope items" is available (not grayed out), then check this box. Click "Next" and "OK" to complete the wizard.
- If the application uses both HTTP and HTTPS, then repeat step 10 for both protocols.
- Go to the Scanner tab, and the Scan queue sub-tab. The scan queue shows all of the items that are queued to be scanned. You can monitor Burp's progress as it scans these, and the numbers of issues found. When all of the items in the scan queue have been processed, the scan is completed.
- In the Target tool, go to the Site map sub-tab, and find the Issues view. This contains all of the scan results that Burp has identified. As you select one or more nodes in the application tree, Burp shows a list of all the issues that were identified for the selected branch(es). You can select an individual issue to view the details, including a customized issue advisory, and the requests and responses that Burp used as the basis for reporting the issue. Note that in the list view of issues, issues of the same type may be consolidated into a single entry, and you can expand this entry to see all instances of the issue.
- To generate a report of your scanning, collapse the tree view of the application's contents. Then select the top-level domain entry for the application. If the application uses both HTTP and HTTPS, then select both items (you can hold down the SHIFT key to select more than one item). Then right-click to show the context menu, and select "Report selected issues". This opens a wizard that lets you configure details of the report. Choose one of the HTML-based reporting formats, and click through the wizard. You can leave all default settings unmodified, and finally specify a location on your computer where you want to save the report. When the report has been saved, you can go to this location and open the HTML report to view in your browser.
- If you wish, you can save Burp's current state so that you can reload all of the current information back into the Target site map at a later time. To do this, go to the Burp menu, and choose "Save state". Click through the wizard and specify a location on your computer where you want to save the state file. You can later restore this state into another instance of Burp, by choosing "Restore state" from the Burp menu.
- When you have finished your work, it is recommended that you restore defaults settings for all options, using the Burp menu. Then exit Burp cleanly by selecting "Exit" from the Burp menu.
Use the links below for further help on starting to use Burp Scanner: