Getting Started with Burp Suite
Burp Suite Documentation
Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.
| Burp Suite Professional and Community editions | Burp Suite Enterprise Edition |
| Burp Scanner | Burp Collaborator |
| Burp Infiltrator | Full Documentation Contents |
Burp Extender
Burp Extender lets you extend the functionality of Burp Suite in numerous ways.
Extensions can be written in Java, Python or Ruby.
| API documentation | Writing your first Burp Suite extension |
| Sample extensions | View community discussions about Extensibility |
burp setting
I use burp professional version, I click new scan task, it asks me to define crawling and auditing parameter, I use default setting, i can't find xss and csrf, so any parameter need to be changed in audit setting so we can discover csrf and stored xss?
Hi, once the site has been crawled, the audit phase then scans and detects potential vulnerabilities. All issue types including CSRF & XSS (Stored) are enabled by default so it should work out of the box.
Have you verified manually that those vulnerabilities are present in your target application?
You can ensure that Burp Scanner attempts all available insertion points it encounters and payloads available by changing the following settings in the audit configuration;
- Audit Speed: Thorough
- Skip checks unlikely to be effective due to insertion point’s base value: Disabled
- Issues Reported: All types enabled.
- Insertion Point Types: All types enabled.
- Frequently Occurring Insertion Points: All disabled.
Whether or not Burp can detect them is based on the vulnerabilities you have manually verified yourselves, without an example it would be difficult to investigate if Burp should be detecting them or not.