The web vulnerability scanner behind Burp Suite's popularity has more to it than most. Burp Scanner uses PortSwigger's world-leading research to help its users find a wide range of vulnerabilities in web applications, automatically.
The advanced crawling algorithm used by Burp Scanner builds up a profile of its target in a similar way to a tester. It's designed to handle dynamic content, unstable internet connections, and the vast scale of modern web applications. This means far fewer failed scans - and more attack surface to exploit.
Burp Scanner saves a huge amount of time and wasted effort. The architecture of modern web applications can create sinkholes that will eat up requests if your web vulnerability scanner isn't prepared. Burp Scanner uses location fingerprinting techniques to identify these areas - dramatically cutting down the number of requests made while testing.
PortSwigger champions innovation. We pride ourselves on having the best security research team in the world. Burp Suite's creator wrote the book that educated a generation of pentesters. And because we regularly unearth new vulnerabilities (like HTTP desync attacks), Burp Scanner users are first to be protected against them - before hackers have a chance to strike.
In addition to receiving regular updates, Burp Scanner is capable of exposing a huge list of existing vulnerabilities in web applications. Scan checks can be selected individually or by group, and custom configurations can be saved. For example, a scan configuration could be created to report only vulnerabilities appearing in the OWASP Top 10.
Automated OAST (out-of-band application security testing) was pioneered by PortSwigger. Burp Collaborator identifies interactions between its target and an external server. This allows it to check for bugs invisible to conventional scanners - including asynchronous SQL injection and blind SSRF. Results then appear as standard in Burp Scanner's reports.
Burp Scanner utilizes a mixed methodology, designed with signal-to-noise ratio in mind. This maximizes coverage, while minimizing the number of false positives returned to the user. OAST testing in particular, produces an extremely low rate of false positives, while opening up new horizons in terms of the types of vulnerabilities it can find.
Sitting at the heart of both Burp Suite Professional and Burp Suite Enterprise Edition, Burp Scanner is available to suit the needs of both individual pentesters, and whole DevSecOps or security teams.
Automate Burp Scanner. Integrate with CI/CD and enable DevSecOps. Indefinite scalability.
Integrate Burp Scanner with manual pentesting workflows, apply custom scan checks, and much more.
Learn more about web vulnerability scanners. What they are, how they work, and what to look out for.