Run your first scan with Burp Suite Professional

Burp Scanner can be used as both a fully automated scanner and a powerful way to increase your manual testing workflow. The list of vulnerabilities Burp Scanner can detect continues to grow. We work closely with our world-class research team to ensure they stay up to date with the latest techniques to find both classic bugs and newly discovered vulnerabilities.

There are two phases to website analysis:

• Search for content and features: Burp Scanner first navigates around the target site, closely mirroring the behavior of actual users. It lists the structure and content of the site, as well as the paths used to navigate through it, in order to build a complete map of the site.
• Vulnerability audit: The audit phase of a scan involves analyzing the behavior of the website to identify security vulnerabilities and other issues. Burp Scanner uses a wide range of techniques to provide accurate, high coverage target auditing.

Scanning a Website

In this section, you will learn how to run your first automated vulnerability scan.

Step 1: Open the scan launcher

Go to Dashboard tab and select New scan.

The Scan launcher the dialog box opens. This is where you can adjust various parameters to control the behavior of Burp Scanner.

Step 2: Enter the URL of the target site

In the URL to analyze field, enter portswigger-labs.net. Leave all other settings at their defaults for now.

Step 3: Start the scan

Click on Okay to start the analysis. Burp Scanner will start crawling from the URL you entered in the previous step.

Note that a new task has been added to the Dashboard to represent this scan. This displays some key information, such as the phase of the scan being performed, the number of requests sent, etc.

Step 4: see the crawl in action

Go to Target> Site map tab and note the new entry for portswigger-labs.net. Expand this node to see all of the content that the crawler has managed to discover so far. If you wait a few seconds, you will see the map update in real time.

Step 5: View identified issues

Monitor the status of the scan in the dashboard. After a minute or two, the crawl will complete and Burp Scanner will begin to audit for vulnerabilities. As it finds problems, these will be displayed in the
Issuing activity panel on the Dashboard tongue.

If you select an issue, you may see a Advisory tab, which contains key information about the type of problem, including a detailed description and resolution tips. Next to this are several tabs that provide evidence that Burp Scanner has found for this issue. This is typically a Request and Reply but will differ depending on the type of problem.

Generating a report

In this section, you will learn how to generate a report based on the results of your analysis.

Step 1: Select the relevant issues

Go to Target> Site map tab, right-click the entry to https://portswigger-labs.net, and select Issues> Report issues for this host.

Step 2: Configure Report Options

A wizard walks you through various options, such as which file format to use, how much detail to include, etc. For now, just click Next to accept the defaults until you are prompted to enter a file name and location for the report.

Step 3: Generate and Save the Report

Click on Choose the folder and choose a location where you want to save the report. Enter a name for the file.

Click on to safeguard then Next to generate the report.

Step 4: View and share your report

Open the report in your browser to see what it contains. This is useful for reporting the results of your analyzes to your colleagues or clients.

You have just performed your first analysis using Burp Suite and generated a report of your results.

In this tutorial

1. Initial setup
2. Intercepting HTTP traffic with Burp Proxy
3. Manually resubmit requests with Burp Repeater
4. Run your first scan