Research Academy
My account Customers About Blog Careers Legal Contact Resellers
  1. Web Security Academy
  2. Essential skills
  3. Using Burp Scanner during manual testing

Using Burp Scanner during manual testing

In this section, we'll show you a number of ways you can optimize your manual testing workflow by using Burp Scanner to supplement your own knowledge and intuition. Not only will this help you cover more ground, you'll be able to spend your time where it matters rather than on tedious preliminary work.

Scanning a specific request

When you come across an interesting function or behavior, your first instinct may be to send the relevant requests to Repeater or Intruder and investigate further. But it's often beneficial to hand the request to Burp Scanner as well. It can get to work on the more repetitive aspects of testing while you put your skills to better use elsewhere.

If you right-click on a request and select Do active scan, Burp Scanner will use its default configuration to audit only this request.

Do active scan

This may not catch every last vulnerability, but it could potentially flag things up in seconds that could otherwise have taken hours to find. It may also help you to rule out certain attacks almost immediately. You can still perform more targeted testing using Burp's manual tools, but you'll be able to focus your efforts on specific inputs and a narrower range of potential vulnerabilities.

Even if you already use Burp Scanner to run a general crawl and audit of new targets, switching to this more targeted approach to auditing can massively reduce your overall scan time.

LAB
PRACTITIONER Discovering vulnerabilities quickly with targeted scanning

Scanning custom insertion points

It's easy to see the benefits of limiting your scans to a single request, but you can take this a step further by only testing specific inputs within that request.

First, send the request to Burp Intruder. On the Positions tab, add payload positions to any insertion points you're interested in, then right-click and select Scan defined insertion points.

Scan defined insertion points

You can then configure and launch a scan that will place payloads in these positions only. This lets you focus on the inputs you're interested in rather than scanning a whole bunch of cookies that you know are unlikely to be of any use.

This is especially useful for testing an individual parameter that you want to take a closer look at. Although you can just define a single insertion point using Intruder, it's often quicker to use the Scan manual insertion point extension in this case. You can then highlight any sequence of characters within the request, typically a parameter value, and select Extensions > Scan manual insertion point from the context menu.

This approach can yield results incredibly quickly, giving you something to work with in just a couple of seconds. It also means you can choose to scan inputs that Burp Scanner normally doesn't use, such as custom header values.

Scanning non-standard data structures

As you're free to define insertion points in arbitrary positions, you can also target a specific substring within a value. Among other things, this can be useful for scanning non-standard data structures.

When dealing with common formats, such as JSON, Burp Scanner is able to parse the data and place payloads in the correct positions without breaking the structure. However, consider a parameter that looks something like this:

user=048857-carlos

Using our intuition, we can take a guess that this will be treated as two distinct values by the back-end: an ID of some kind and what appears to be a username, separated by a hyphen. However, Burp Scanner will treat this all as a single value. As a result, it will just place payloads at the end of the parameter, or replace the value entirely.

By manually defining an insertion point on each part of the value separately, you can accurately scan even non-standard data structures like this.

Scan non-standard data structures

In this topic

All topics

SQL injection XSS CSRF Clickjacking DOM-based CORS XXE SSRF Request smuggling Command injection Server-side template injection Insecure deserialization Directory traversal Access control Authentication OAuth authentication Business logic vulnerabilities Web cache poisoning HTTP Host header attacks WebSockets Information disclosure File upload vulnerabilities JWT attacks Essential skills Prototype pollution
Try Burp Suite for Free

Practice these skills using Burp Suite

Try for free

We’re going teetotal – It’s goodbye to The Daily Swig

02 March 2023 We’re going teetotal – It’s goodbye to The Daily Swig PortSwigger today announces that The Daily Swig is closing down

Bug Bounty Radar

The latest bug bounty programs for March 2023 28 February 2023 Bug Bounty Radar The latest bug bounty programs for March 2023

Indian gov flaws allowed creation of counterfeit driving licenses

28 February 2023 Indian gov flaws allowed creation of counterfeit driving licenses Armed with personal data fragments, a researcher could also access 185 million citizens’ PII

Password managers part II

A rough guide to enterprise secret platforms 27 February 2023 Password managers part II A rough guide to enterprise secret platforms

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here