Initiating Scans
You can initiate scans against your target application in two different ways:
- Manual scanning - This involves
selecting HTTP requests or URLs anywhere within Burp, and using the context menu
to initiate a scan.
- Live scanning as you browse - You can configure the Scanner to
automatically perform scans against requests passing through
the Proxy as you are browsing the application.
Manual Scanning
From anywhere within Burp, you can select one or more HTTP requests or
URLs,
and send these to the Scanner to perform scans. Some examples of using this
technique are as follows:
- When you are exploring an application and manually
intercepting requests through the
Proxy, any time you see a request with interesting parameters, you can
send it for scanning using the context menu.
- When you have mapped out an application's content and functionality,
you can select the application host in the target
site map, and initiate a scan against
the whole application using the context menu.
- Instead, if you want to scan only selected parts of the application,
you could select only certain branches in the site map, and use the
context menu to scan just those items. Alternatively, you could define
your target scope to include only
specific directories and URLs, and select the "Remove out-of-scope
items" in the active scanning wizard.
- When you are manually probing an individual request for
vulnerabilities in Burp Repeater, you can
use the context menu to fire off an active scan against just that
request. The active scan will check for the full range of input-based
vulnerabilities, leaving you to focus on the types of vulnerabilities
that only a human can detect.
- When reviewing the results of an
Intruder fuzzing attack, you
might spot an unusual response that was triggered by changing one of the
parameters in the base request, indicating that you have hit a new code
path in the application. You can then send that result item for
active scanning, so that the other request parameters are tested
alongside the modified parameter value. This technique can often find
difficult bugs that elude most scanners; for example, a cross-site
scripting or SQL injection vulnerability in one parameter, that depends
on another parameter also having a modified value.
Active Scanning Wizard
If you select multiple items and send these for
active scanning, Burp launches
a brief wizard that lets you fine-tune your selection. This enables you to
quickly select large branches of the site map, which typically contain some
items that you don't need to scan, and then remove the unnecessary items in
the scan wizard.
The wizard lets you choose whether to remove items with various features:
- Duplicate items in the selection (those with matching URL and
parameter names)
- Items that have already been scanned
- Out-of-scope items
- Items with no parameters
- Items with media (non-text) responses
- Items with specific file extensions
For each item, Burp shows the number of affected items where this is
known. If some items have not yet been requested, then Burp will need to
request these before determining which of them have media responses. If any
option would result in none or all of the items being removed, then this
option will be unavailable.
The wizard then displays the full list of items that will be scanned. You
can double-click any item in the list to view full request and response
details. You can manually remove any further items that you do not wish to
scan.
The wizard then completes and the selected items are sent for scanning in
the usual way.
Live Scanning
Live scanning allows you to determine what gets scanned by stepping
through the target application using your browser, via Burp Proxy. You can
configure separate settings for live active scanning
and live passive scanning.
Live Active Scanning
To perform live active scanning,
carry out the following steps:
- Configure the live active scanning settings with the details of the
targets you want to actively scan. If you have already configured a
suite-wide
target scope for your current work, then you can
simply tell Burp to actively scan every request that falls within that
scope. Alternatively, you can define a custom scope using
URL matching rules.
- Browse around the application in the usual way via Burp Proxy. This
will effectively show Burp which application functions you want to scan.
For each unique in-scope request that you make via your browser, Burp
will queue the request for
active scanning, and will work away in the background to find
vulnerabilities for you.
Note: Live active scanning ignores requests for media resources
(images, etc.) where the request does not contain any non-cookie parameters.
Requests like these are virtually always for static resources that do not have
any security significance, and so can be safely ignored by the Scanner. (This
does not apply to manual scanning - if you manually select send
these items for active scanning, then they will of course be scanned in the
normal way.)
Click here to read about all
ways of initiating scans.
Live Passive Scanning
To perform live passive scanning,
carry out the following steps:
- Configure the live passive scanning settings with the details of the
targets you want to passively scan. By default, Burp performs passive
scanning of all requests, but you can restrict this to the suite-wide
target scope, or a custom scope using
URL matching rules.
- Browse around the application in the usual way via Burp Proxy. This
will effectively show Burp which application functions you want to scan.
Click here to read about all
ways of initiating scans.