Getting Started With Burp Scanner
Burp Scanner is a tool for performing automated vulnerability scans of web applications. You can use Burp Scanner alongside your manual testing methodology to quickly identify many types of common vulnerabilities, leaving you to focus on issues that require human intelligence and ingenuity to discover.
Before You Start
- Ensure that Burp is installed and running, and that you have configured your browser to work with Burp.
- If you have not done so already, browse around some of your target application, to populate Burp's Target site map with details of the application's contents and functionality. Before doing so, to speed things up, go to the Proxy tab, then the Intercept sub-tab, and turn off Proxy interception (if the button says "Intercept is on" then click it to toggle the interception status to off).
Note: Using Burp Scanner may result in unexpected effects in some applications. Until you are fully familiar with its functionality and settings, you should only use Burp Scanner against non-production systems.
As you browse, by default Burp Scanner performs passive scanning of all requests and responses passing through the Proxy. Passive scanning involves analyzing these HTTP messages for evidence of certain types of vulnerabilities, and does not send any additional requests to the server. Go to the "Target" tab, and the "Site map" sub-tab, and review any passive issues that Burp has reported for the applications you have visited.
To find many other types of vulnerabilities, Burp performs active scanning, and this does involve sending additional requests to the application to probe for vulnerabilities.
Note: You should only perform active scanning against systems that you are authorized to test in this way. Only proceed to the following steps if you have a suitable target application that you are authorized to scan.
Scanning a Single Item
Go to the Proxy "HTTP History", and find an interesting-looking request to your target application, containing a number of parameters. Select this single request, and choose "Do an active scan" from the context menu. Unless you have already configured your target scope, Burp will prompt you to confirm. Assuming the request is one you are willing to scan, click "Yes".
Go to the "Scanner" tab, and the "Scan queue" sub-tab. The item you sent for scanning now appears in the scan queue, showing key details about the item, and Burp's progress in scanning it. You can double-click the item to view any issues that Burp has identified, and also review the base request and response (this is the original request that you sent to be scanned, and its associated response). Any issues identified will also be consolidated and added to the main Scanner "Results" tab.
Scanning Multiple Items
Go to the Target "Site map", and in the tree view select a small branch that you are willing to scan, containing more than one URL. Select "Actively scan this branch" from the context menu.
Burp will show a wizard that lets you fine-tune your selection, by removing specific items or all items with certain characteristics. For the moment, click through the wizard. Again, if the items are out of scope, Burp may ask you to confirm the action.
Go back to the "Scan queue" tab, and note that all of the items you selected have been added to the queue and are in the process of being scanned. Depending on the number of items and their characteristics, this scanning may take a while.
Live Scanning as you Browse
If you have not already done so, define the target scope for the application you are testing. The simplest way to do this is to select the branch of the site map that contains the application, and choose "Add to scope" from the context menu. Do this with caution, because items added to the scope will be automatically scanned in later steps of this article.
Go to your browser, and continue browsing the application, making a few more requests. Go back to the "Scan queue" tab, and observe that additional items are added to the queue as you browse. You can use this feature to perform automatic scanning of specific application functions, by using your browser to guide Burp as to what should be scanned.
Go to the Target "Site map" tab, and browse around the results that have been generated so far. You can select parts of the tree view to see only the issues for the selected branches, or you can select the whole tree to see all issues. Note that in the list view, issues of the same type may be consolidated into a single entry, and you can expand this entry to see all instances of the issue.
Select a specific instance of an issue, and look at the advisory for that issue. This contains details of the vulnerability and its remediation (where relevant) and is fully customized with details of the behavior that was observed in the target application. You can also review the request and response upon which each reported issue was based, with particular parts of these HTTP messages highlighted where relevant.
View the request that is reported for an individual issue, and open the context menu. Choose "Send to Repeater", and go to the Repeater tab. You will see the selected request has been copied into the Repeater tool, for further testing. For more details on sending items between Burp tools, and the overall testing workflow, see Using Burp Suite.
Go back to the Target "Site Map" tab. Burp automatically assigns each scan issue a rating for severity and confidence. The severity rating reflects the impact that this type of issue typically has. The confidence rating reflects how confident Burp is that the reported issue is genuine, based on the technique Burp used to detect the issue and the strength of the observed evidence. You can use the context menu on selected issues to manually reassign the severity and confidence ratings, or to flag issues as false positives.
In the "Results" tab, select the host for your target application, and choose "Report selected issues" from the context menu. This opens a reporting wizard that lets you configure various aspects of the report. Complete the reporting wizard and view the saved report.