Introduction
Burp Scanner is a powerful automated vulnerability detection tool integrated within Burp Suite, a comprehensive web application security testing platform. It identifies security issues by analyzing web applications’ responses to various inputs and attack vectors. Whether you’re a penetration tester, security professional, or developer, this cheat sheet provides essential knowledge to effectively utilize Burp Scanner for identifying and addressing web application vulnerabilities.
Core Concepts
Key Components of Burp Scanner
| Component | Description |
|---|---|
| Active Scanner | Proactively sends payloads to detect vulnerabilities by analyzing responses |
| Passive Scanner | Analyzes traffic without sending additional requests, identifying issues like information disclosure |
| Scan Configurations | Customizable profiles that determine scan scope, intensity, and techniques |
| Issue Definitions | Built-in vulnerability patterns that Scanner checks against |
| Reporting Module | Generates comprehensive reports of identified vulnerabilities |
Scanning Methodologies
- Crawl & Audit: Automatically discovers application content before scanning
- Point & Click: Scan specific functionality or endpoints
- Manual Application Mapping: User manually explores app, then scans discovered content
- API Scanning: Specialized scanning for API endpoints and services
Step-by-Step Scanning Process
1. Initial Setup
- Configure your browser to route traffic through Burp Proxy
- Ensure Burp Suite is updated to the latest version
- Verify proxy settings (default: 127.0.0.1:8080)
- Import/configure your Burp Suite license
2. Defining Scope
- Navigate to Target → Site map
- Right-click on target domain → “Add to scope”
- Configure scope settings in Target → Scope
- Set scan filter options to limit scan to in-scope items only
3. Configuring Scan Settings
- Navigate to Scanner → Options
- Select appropriate scan configuration based on objectives:
- Crawl strategy: How deeply to crawl the application
- Passive scanning: Enable/disable and configure
- Active scanning: Configure attack insertion points and techniques
- Issue reporting: Set severity thresholds and reporting options
4. Running a Scan
For Active Scanning:
- Right-click on target URL/function in Site map, Proxy history, or Target tree
- Select “Scan” or “Actively scan this [item]”
- Configure scan settings in the dialog
- Click “OK” to start scan
For Passive Scanning:
- Enable passive scanning in Scanner → Options
- Browse the application manually or use Burp Spider
- Passive Scanner automatically analyzes traffic through proxy
5. Analyzing Results
- Navigate to Scanner → Dashboard for overview
- Review Issues tab for detailed vulnerability information
- Prioritize by severity (High, Medium, Low, Info)
- Validate findings to eliminate false positives
Key Techniques and Scan Types
Scan Types
| Scan Type | Purpose | When to Use |
|---|---|---|
| Lightweight | Quick checks with minimal impact | Initial testing, production systems |
| Standard | Balanced scan covering common vulnerabilities | Most applications, default choice |
| Thorough | Comprehensive testing with extended payloads | Critical applications, pre-release |
| Custom | User-defined scan profile | Specialized testing needs |
Advanced Scanning Techniques
Content Discovery
Target → Site map → Select domain → Engagement tools → Discover content
- Configure discovery settings based on target complexity
- Include custom wordlists for better coverage
API Scanning
- Use Postman/Swagger imports for API definitions
- Configure correct content types and authentication
- Use sequence scanning for API flows
JavaScript Analysis
- Enable JavaScript analysis in Scanner options
- Set crawling depth to capture single-page applications fully
- Use the JS Miner extension for enhanced JavaScript parsing
Authentication and Session Handling
Setting Up Authentication
- Configure in Project options → Sessions
- Define authentication method:
- Basic/NTLM authentication
- Form-based login
- Custom mechanisms via macros
Session Handling Rules
- Navigate to Project options → Sessions → Session Handling Rules
- Create rule with appropriate scope
- Add actions (e.g., run macro, set cookie)
- Test authentication flow before scanning
Common Authentication Configurations
| Auth Type | Configuration Approach |
|---|---|
| Form Login | Record macro of login process, apply via session handling rule |
| API Key | Use header or parameter-based rule to insert key |
| OAuth/JWT | Configure token acquisition macro, use extensions like OAuth Handler |
| SAML/SSO | Record full authentication flow, may require specialized extensions |
Scan Configurations and Optimization
Performance Optimization
- Resource Pool Management: Configure in Project options → Connections
- Concurrent Requests: Adjust based on target application’s capacity
- Throttling: Set delays between requests to reduce impact
- Scan Queue Management: Prioritize critical functions
Scan Configuration Presets
| Focus Area | Recommended Settings |
|---|---|
| Speed | Reduce thread count, limit insertion points, use lightweight scans |
| Thoroughness | Increase thread count, maximize insertion points, use thorough scan type |
| Stealth | Increase request delays, randomize user-agents, limit concurrent requests |
| API Testing | Custom parameter locations, content-type handling, specific payload selection |
Common Issues and Troubleshooting
Scan Performance Issues
| Problem | Solution |
|---|---|
| Slow Scanning | Reduce scan depth, limit insertion points, optimize resource pools |
| High False Positives | Tune issue reporting thresholds, validate findings manually |
| Scan Stalling | Check target availability, adjust timeout settings, monitor connection issues |
| Authentication Failures | Verify session handling rules, check for anti-automation measures |
Error Troubleshooting
| Error | Resolution |
|---|---|
| Connection Refused | Verify target availability and network connectivity |
| Out of Memory | Increase Java heap size, split scan into smaller segments |
| SSL/TLS Errors | Configure correct certificate handling, update Burp’s JRE |
| Extension Conflicts | Disable non-essential extensions during scanning |
Best Practices
Scanning Methodology
- Start Narrow: Begin with critical functionality before expanding scope
- Combine Techniques: Use both passive and active scanning
- Validate Findings: Always manually verify critical vulnerabilities
- Incremental Scanning: Scan in phases rather than all at once
- Document Everything: Keep detailed records of scan configurations and findings
Security and Ethical Considerations
- Obtain proper authorization before scanning
- Avoid heavy scanning during peak business hours
- Use throttling for production environments
- Respect scope limitations and data privacy
- Consider data protection implications of findings
Result Management
- Prioritize vulnerabilities by business impact, not just severity
- Group related issues for more efficient remediation
- Provide clear reproduction steps for development teams
- Track fixes and perform verification scans
- Maintain a vulnerability knowledge base for common findings
Advanced Features
Custom Scan Configurations
- Navigate to Scanner → Scan configurations
- Create new configuration or clone existing
- Customize:
- Attack insertion points
- Payload selection
- Request optimization
- Issue reporting
Creating Custom Issue Definitions
- Use the Burp Extender API
- Develop custom scan checks in Java, Python, or Ruby
- Integrate with existing scan engine
- Publish to BApp Store or keep internal
Integration with CI/CD Pipelines
- Use Burp Suite Enterprise for automated scanning
- Leverage REST API for integration
- Set appropriate failure thresholds
- Incorporate into deployment decision gates
Common Vulnerability Checks
| Vulnerability Type | Scanner Detection Capability | False Positive Potential |
|---|---|---|
| SQL Injection | Excellent | Low |
| XSS (Cross-Site Scripting) | Very Good | Medium |
| CSRF (Cross-Site Request Forgery) | Good | Medium-High |
| Information Disclosure | Very Good | Low |
| Authentication Issues | Good | Medium |
| Authorization Bypasses | Limited | High |
| Business Logic Flaws | Poor (requires manual testing) | N/A |
| Server Misconfigurations | Good | Low |
Resources for Further Learning
Official Documentation
Community Resources
Training and Certification
Community Forums
Quick Reference Commands and Shortcuts
| Action | Keyboard Shortcut | Menu Path |
|---|---|---|
| Start new scan | N/A | Right-click → Scan |
| Pause/resume scan | N/A | Scanner → Tasks → select scan → Pause/Resume |
| Save scan configuration | N/A | Scanner → Scan configurations → Save |
| Clear scan queue | N/A | Scanner → Tasks → Clear queue |
| Generate scan report | N/A | Scanner → Issues → Report selected issues |
| Send to active scanner | Ctrl+Shift+A | Right-click → Send to Active Scanner |
| Toggle passive scanner | N/A | Scanner → Options → Live Passive Scanning |
| Filter scan results | N/A | Scanner → Issues → Filter bar |