Using Burp Scanner
Burp Scanner is a tool for automatically finding security vulnerabilities in web applications. It is designed to be used by security testers, and to fit in closely with your existing techniques and methodologies for performing manual and semi-automated penetration tests of web applications.
Note: Using Burp Scanner may result in unexpected effects in some applications. Until you are fully familiar with its functionality and settings, you should only use Burp Scanner against non-production systems.
Burp's Scanning Paradigm
With most web scanners, you provide a start URL for the application, click "Go", and watch a progress bar update until the scan is finished and a report is produced. This scanning model has significant limitations, which lead to incomplete coverage, missed vulnerabilities, and misdirected effort. (The most notable problems are: crawler limitations due to changing client-side technologies, inability to interoperate with the complex stateful nature of today's applications, failure to supply suitable input to complete multi-stage processes, problems working with authentication and session handling mechanisms, and many others.)
Now, if you really want to use Burp like a conventional scanner, with all the limitations that this involves, please refer to Using Burp as a point-and-click scanner, but this isn't recommended.
Burp's preferred approach to scanning employs a different, user-driven paradigm. This gives you fine-grained control over each request that gets scanned, and direct feedback about the results. This approach helps to avoid many of the technical challenges faced by conventional scanners. You can guide the scanner using your browser to ensure that no key areas of functionality are missed. You can directly scan the actual requests generated by the application, containing data with the correct content and format that the application requires. With full control over what gets scanned, you can avoid dangerous functionality, recognize duplicated functionality, and step through any input validation requirements that a fully automated scanner might struggle with. Furthermore, because you have direct feedback about the scanner's activity, you can ensure that problems with authentication and session handling are avoided and that issues caused by multistage processes and stateful functions are handled properly. By using a scanner in this way, you can cover an important range of vulnerabilities whose detection can be automated. This will free you to look for other types of vulnerabilities that require human intelligence and experience to uncover.
Passive Scanning Mode
Burp Scanner can operate in a purely passive mode. Here, the Scanner doesn't send any new requests of its own. It merely analyzes the contents of existing requests and responses, and deduces vulnerabilities from those. Many types of security vulnerabilities can be detected using only passive techniques.
By default, Burp carries out passive scanning of all traffic passing through Burp Proxy. After you have configured your target scope, you might want to reconfigure the live passive scanning settings, so that only in-scope items are passively scanned. This will prevent the Results tab from accumulating passive scan issues for targets you are not interested in.
Active Scanning Mode
In the active scanning mode, Burp sends various crafted requests to the application, and analyzes the resulting responses looking for evidence of vulnerabilities. Active Scanning is capable of identifying a much wider range of vulnerabilities, and is essential when performing a comprehensive test of an application.
You can initiate scans in two different ways: manual scanning and live scanning as you browse.
In manual scanning, you select requests in other Burp tools (or entire branches of the Target site map), and use the context menu to initiate active scans against them.
In live scanning as you browse, you configure the Scanner to automatically perform active scans against all in-scope requests passing through the Proxy as you are browsing the application. In a typical test, you might want to combine these active scanning methods for different parts of the application, as described in the following steps.
When stepping through the application and manually reviewing requests as these are intercepted in Burp Proxy, when you see a request containing interesting parameters, you might carry out an active scan of just that request, to get some quick feedback about any vulnerabilities.
If you want to scan all of the requests in a particular functional path through the application (for example, a multi-stage process, or all of the links on a particular page), you can enable live active scanning and manually browse through the relevant application functions. Burp will then queue each resulting in-scope request to be actively scanned.
After mapping the target application and analyzing its attack surface, you might identify particular parts of the site map as containing the most interesting or critical functions. You can select one or more branches of the site map.
You can then use the context menu to initiate active scans against them.
When you do this, an active scan wizard will let you review and consolidate the requests you want to scan, to avoid any redundant effort.
Note: As a general rule, scanning whole branches of the site map is most suitable for discrete application functions that do not involve multi-stage processes, complex state, or session handling. Where these features are present, manual scanning of individual requests or carefully targeted live scanning is generally more effective.
The active scan queue
Items that are sent for active scanning are added to the active scan queue, which displays the status of each item and the number of issues found. You can monitor the progress of your scanning, and use the context menu to cancel or re-prioritize individual items. Based on the performance of your scanning, you can also choose to modify various settings, including the configuration of the scan engine and scan insertion points.
Tip: Burp's user-driven approach to vulnerability scanning brings a number of benefits to the penetration tester:
- Being able to perform quick and reliable scans on a per-request basis can hugely reduce your testing effort, enabling you to direct your human expertise towards vulnerabilities whose detection cannot be reliably automated.
- By selecting individual requests or site map branches for scanning, you can prioritize specific areas of functionality that appear to be the most promising or critical to test.
- Results from each type of scan are displayed immediately, and can directly inform your other testing actions in relation to the individual requests involved.
- Burp avoids a frustrating problem with other scanners, in which a monolithic automated scan takes an age to complete, with little assurance over whether the scan has worked, or whether it encountered problems that impacted on its effectiveness.
By controlling exactly what gets scanned, and by monitoring in real time both the scan results and the wider effects on the application, Burp Scanner lets you combine the virtues of reliable automation with intuitive human intelligence.
Reviewing Scan Results
All results generated by Burp Scanner are shown in the Target "Site map" tab.
Each scan result contains a detailed advisory, often with customized details relevant to the specific vulnerability and appropriate remediation. Each result also includes the full requests and responses that were the basis for reporting the issue, with relevant portions highlighted. You can pass these requests to other Burp tools in the usual way, to verify issues or carry out further tests.
The results for each individual request that was actively scanned can also be viewed by double-clicking items in the active scan queue.
You can generate formal scan reports of your findings, in HTML or XML formats. To generate a report, select the required issues in the Target "Site map" tab, and choose "Report selected issues" from the context menu. A reporting wizard will run letting you configure various details of the report.