Using Burp As a Point-and-Click Scanner
Note: Like any other vulnerability scanner, using Burp may result in unexpected
effects in some applications. Until you are fully familiar with its
functionality and settings, you should only use Burp against
non-production systems.
This help section describes how to use Burp as a conventional
point-and-click web scanner. In this usage, Burp's actions are entirely
automated without any user guidance. This is the model used by other web
scanners, and it is subject to significant limitations. Fully automated
crawling of today's applications is problematic due to rapidly changing
client-side technologies and frameworks, highly stateful application
functionality, and complex session handling mechanisms. Fully automated
scanning of the crawled attack surface is similarly impaired by the failure
to take account of application state and session handling while the scanning
is under way. Very often, both crawling and scanning fail to work properly,
in ways that are not readily apparent to the user of the automated scanner.
Further, of course, there are many categories of critical bugs that can only
be found through human understanding and experience. For these reasons,
fully automated testing by any scanner will provide incomplete coverage.
This shortcoming in conventional scanners is a key reason why Burp Scanner
was designed to fit neatly into a user-driven testing workflow, with
fine-grained human control over its actions, and real-time feedback about
its performance. Nonetheless, if you want to use Burp as a point-and-click
scanner, you can do so with the steps described below.
- First, ensure that Burp is
installed and running.
If you have already done any work using the current instance of Burp,
then close it down and start a clean instance.
- Go to the Burp menu and choose "Restore defaults" for all options.
- Go the Spider tab, and then the Options sub-tab, and scroll down to
the "Application login" section. If the application you are scanning
uses authentication, and you have login details for the application,
then select "Automatically submit these credentials", and enter your
username and password in the boxes. If you do not have any login
details, then select "Handle as ordinary forms".
- Have you already configured
your browser to work with Burp?
- If Yes, then carry out these steps: Go to the Proxy tab, then
the Intercept sub-tab, and turn off Proxy interception (if the
button says "Intercept is on" then click it to toggle the
interception status to off). Then go to your browser, and visit the
start URL for the application you are scanning.
- If No, and you are not comfortable changing your browser
settings, then carry out these steps: Copy to the clipboard the
start URL for the application you are scanning. Then go to the
Repeater tab, right-click on the request panel to open the context
menu, and select "Paste URL as request". Then open the same context
menu again, and select "Add to site map".
- If the application uses both HTTP and HTTPS (which is generally the
case), then repeat step 4 using both protocols in the URL.
- In Burp, go to the Target tab, and the Site map sub-tab. You should
see one or more entries showing domain names. Select the domain name for
your target application, right-click to open the context menu, and
select "Expand branch". This will expand the tree showing the structure
of the website that Burp has been able to discover from step 4.
- Within the expanded tree, select the location of the
application, based on the URL you used in step 4. In many cases, this
will be the top-level domain itself (e.g. http://example.org) and in
other cases will be a folder beneath the domain name (e.g.
http://example.org/banking/app). Select the relevant location,
right-click to open the context menu, and choose "Spider this host /
branch". Burp may then prompt to say that the selected item is outside
the current spidering scope, and ask whether you would like to modify
the scope to include the items. Click "Yes".
- If the application uses both HTTP and HTTPS, then repeat steps 6 and
7 for both protocols.
- Go to the Spider tab, and the Control sub-tab. The "Spider status"
section shows Burp's progress as it crawls the application's content and
functionality. Wait until the "Requests queued" and "Forms queued" both
show zero items remaining. For large or slow applications, this may take
some time.
- When the spidering is completed, go back to the Target tab, and the
Site map sub-tab. The site map may now contain considerably more
content, which has been discovered by the spidering process. Select
again the location of the application (as per step 7), right-click to
open the context menu, and choose "Actively scan this host / branch".
Burp will then open a wizard. On the first screen of the wizard, if the
box "Remove out-of-scope items" is available (not grayed out), then
check this box. Click "Next" and "OK" to complete the wizard.
- If the application uses both HTTP and HTTPS, then repeat step 10 for
both protocols.
- Go to the Scanner tab, and the Scan queue sub-tab. The scan queue
shows all of the items that are queued to be scanned. You can monitor
Burp's progress as it scans these, and the numbers of issues found. When
all of the items in the scan queue have been processed, the scan is
completed.
- In the Target tool, go to the Site map sub-tab, and find the Issues
view. This contains all of the scan
results that Burp has identified. As you select one
or more nodes in the application tree, Burp shows a list of all the
issues that were identified for the selected branch(es). You can select
an individual issue to view the details, including a customized issue
advisory, and the requests and responses that Burp used as the basis for
reporting the issue. Note that in the list view of issues, issues of the
same type may be consolidated into a single entry, and you can expand
this entry to see all instances of the issue.
- To generate a report of your scanning, collapse the tree view of the
application's contents. Then select the top-level domain entry for the
application. If the application uses both HTTP and HTTPS, then select
both items (you can hold down the SHIFT key to select more than one
item). Then right-click to show the context menu, and select "Report
selected issues". This opens a wizard that lets you configure details of
the report. Choose one of the HTML-based reporting formats, and click
through the wizard. You can leave all default settings unmodified, and
finally specify a location on your computer where you want to save the
report. When the report has been saved, you can go to this location and
open the HTML report to view in your browser.
- If you wish, you can save Burp's current state so that you can
reload all of the current information back into the Target site map at a later time. To do this, go to the Burp menu, and
choose "Save state". Click through the wizard and specify a location on
your computer where you want to save the state file. You can later
restore this state into another instance of Burp, by choosing "Restore
state" from the Burp menu.
- When you have finished your work, it is recommended that you restore
defaults settings for all options, using the Burp menu. Then exit Burp
cleanly by selecting "Exit" from the Burp menu.
Use the links below for further help on starting to use Burp Scanner:
Wednesday, January 27, 2016
1.6.36
This release adds a new scan check for client-side template injection.
It is very common for applications that use AngularJS to incorporate user input into HTML responses within the client-side template. AngularJS has a long history of sandbox escapes that permit execution of arbitrary JavaScript via template expressions. Hence, when user input is echoed within AngularJS templates, it is frequently possible to perform XSS attacks using minimal syntax that is not usually sufficient to perform XSS, and so not blocked by input filters.
See all release notes ›