Run your first scan with Burp Suite Professional
Burp Scanner can be used as both a fully automated scanner and a powerful way to increase your manual testing workflow. The list of vulnerabilities Burp Scanner can detect continues to grow. We work closely with our world-class research team to ensure they stay up to date with the latest techniques to find both classic bugs and newly discovered vulnerabilities.
There are two phases to website analysis:
- Search for content and features: Burp Scanner first navigates around the target site, closely mirroring the behavior of actual users. It lists the structure and content of the site, as well as the paths used to navigate through it, in order to build a complete map of the site.
- Vulnerability audit: The audit phase of a scan involves analyzing the behavior of the website to identify security vulnerabilities and other issues. Burp Scanner uses a wide range of techniques to provide accurate, high coverage target auditing.
Burp Scanner is only available with Burp Suite Professional. If you are using Burp Suite Community Edition, you will not be able to complete this tutorial.
Scanning a Website
In this section, you will learn how to run your first automated vulnerability scan.
Step 1: Open the scan launcher
Go to Dashboard tab and select New scan.
The Scan launcher the dialog box opens. This is where you can adjust various parameters to control the behavior of Burp Scanner.
Step 2: Enter the URL of the target site
In the URL to analyze field, enter
portswigger-labs.net. Leave all other settings at their defaults for now.
Using Burp Scanner may have unexpected effects on some applications. Until you are fully familiar with its features and settings, you should only use Burp Scanner on non-production systems. Do not run crawls on third party websites unless you have been authorized to do so by the owner.
Step 3: Start the scan
Click on Okay to start the analysis. Burp Scanner will start crawling from the URL you entered in the previous step.
Note that a new task has been added to the Dashboard to represent this scan. This displays some key information, such as the phase of the scan being performed, the number of requests sent, etc.
Step 4: see the crawl in action
Go to Target> Site map tab and note the new entry for
portswigger-labs.net. Expand this node to see all of the content that the crawler has managed to discover so far. If you wait a few seconds, you will see the map update in real time.
Step 5: View identified issues
Monitor the status of the scan in the dashboard. After a minute or two, the crawl will complete and Burp Scanner will begin to audit for vulnerabilities. As it finds problems, these will be displayed in the
Issuing activity panel on the Dashboard tongue.
If you select an issue, you may see a Advisory tab, which contains key information about the type of problem, including a detailed description and resolution tips. Next to this are several tabs that provide evidence that Burp Scanner has found for this issue. This is typically a Request and Reply but will differ depending on the type of problem.
Generating a report
In this section, you will learn how to generate a report based on the results of your analysis.
Step 1: Select the relevant issues
Go to Target> Site map tab, right-click the entry to
https://portswigger-labs.net, and select Issues> Report issues for this host.
Step 2: Configure Report Options
A wizard walks you through various options, such as which file format to use, how much detail to include, etc. For now, just click Next to accept the defaults until you are prompted to enter a file name and location for the report.
Step 3: Generate and Save the Report
Click on Choose the folder and choose a location where you want to save the report. Enter a name for the file.
You must include the appropriate file extension, in this case,
Click on to safeguard then Next to generate the report.
Step 4: View and share your report
Open the report in your browser to see what it contains. This is useful for reporting the results of your analyzes to your colleagues or clients.
You have just performed your first analysis using Burp Suite and generated a report of your results.
The next step – Continue to learn about Burp
In this tutorial
- Initial setup
- Intercepting HTTP traffic with Burp Proxy
- Manually resubmit requests with Burp Repeater
- Run your first scan