Run your first scan with Burp Suite Professional

0

Burp Scanner can be used as both a fully automated scanner and a powerful way to increase your manual testing workflow. The list of vulnerabilities Burp Scanner can detect continues to grow. We work closely with our world-class research team to ensure they stay up to date with the latest techniques to find both classic bugs and newly discovered vulnerabilities.

There are two phases to website analysis:

  • Search for content and features: Burp Scanner first navigates around the target site, closely mirroring the behavior of actual users. It lists the structure and content of the site, as well as the paths used to navigate through it, in order to build a complete map of the site.
  • Vulnerability audit: The audit phase of a scan involves analyzing the behavior of the website to identify security vulnerabilities and other issues. Burp Scanner uses a wide range of techniques to provide accurate, high coverage target auditing.

To note

Burp Scanner is only available with Burp Suite Professional. If you are using Burp Suite Community Edition, you will not be able to complete this tutorial.

Scanning a Website

In this section, you will learn how to run your first automated vulnerability scan.

Step 1: Open the scan launcher

Go to Dashboard tab and select New scan.

The Scan launcher the dialog box opens. This is where you can adjust various parameters to control the behavior of Burp Scanner.

Step 2: Enter the URL of the target site

In the URL to analyze field, enter portswigger-labs.net. Leave all other settings at their defaults for now.

Setting the URL in the Scan Launcher

To note

Using Burp Scanner may have unexpected effects on some applications. Until you are fully familiar with its features and settings, you should only use Burp Scanner on non-production systems. Do not run crawls on third party websites unless you have been authorized to do so by the owner.

Step 3: Start the scan

Click on Okay to start the analysis. Burp Scanner will start crawling from the URL you entered in the previous step.

Note that a new task has been added to the Dashboard to represent this scan. This displays some key information, such as the phase of the scan being performed, the number of requests sent, etc.

Display of the scan in the dashboard

Step 4: see the crawl in action

Go to Target> Site map tab and note the new entry for portswigger-labs.net. Expand this node to see all of the content that the crawler has managed to discover so far. If you wait a few seconds, you will see the map update in real time.

Display of the site map during the crawl

Step 5: View identified issues

Monitor the status of the scan in the dashboard. After a minute or two, the crawl will complete and Burp Scanner will begin to audit for vulnerabilities. As it finds problems, these will be displayed in the
Issuing activity panel on the Dashboard tongue.

Viewing Problem Details

If you select an issue, you may see a Advisory tab, which contains key information about the type of problem, including a detailed description and resolution tips. Next to this are several tabs that provide evidence that Burp Scanner has found for this issue. This is typically a Request and Reply but will differ depending on the type of problem.


Generating a report

In this section, you will learn how to generate a report based on the results of your analysis.

Step 1: Select the relevant issues

Go to Target> Site map tab, right-click the entry to https://portswigger-labs.net, and select Issues> Report issues for this host.

Report issues for the selected host

Step 2: Configure Report Options

A wizard walks you through various options, such as which file format to use, how much detail to include, etc. For now, just click Next to accept the defaults until you are prompted to enter a file name and location for the report.

Analysis report creation wizard

Step 3: Generate and Save the Report

Click on Choose the folder and choose a location where you want to save the report. Enter a name for the file.

To note

You must include the appropriate file extension, in this case, .html.

Click on to safeguard then Next to generate the report.

Step 4: View and share your report

Open the report in your browser to see what it contains. This is useful for reporting the results of your analyzes to your colleagues or clients.

Viewing the Analysis Report

You have just performed your first analysis using Burp Suite and generated a report of your results.

The next step – Continue to learn about Burp

CONTINUE

In this tutorial

  1. Initial setup
  2. Intercepting HTTP traffic with Burp Proxy
  3. Manually resubmit requests with Burp Repeater
  4. Run your first scan


Source link

Leave A Reply

Your email address will not be published.