Burp Suite Automated Scanner Is Free To Use

Burp Suite is very simple, easy and configurable, and has many powerful features to help those who are testing software. Its professional version includes multiple tools and an automatic scanner. At the same time, the free version is complete and includes all the basic tools. Learn how to scan a website for vulnerabilities using Burp Scanner, in the latest of our video tutorials on Burp Suite essentials.Configuring an end-to-end m.

Figure 1: Changing the AppScan internal browser’s User-Agent header value. The value above was modified from the default value of “Mozilla/4.0 (compatible; MSIE 6.0; Win32)” to “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2)”.To get a valid header value, I used an updated browser connected to a proxy tool, such as OWASP ZAP or Burp, to navigate to the application.

Burp Scanner automates the task of scanning web sites for content and vulnerabilities. Depending on configuration, the Scanner can crawl the application to discover its content and functionality, and audit the application to discover vulnerabilities. By default, all scans will use Burp's embedded browser to ensure maximum coverage through browser-powered scanning. You can also provide sets of user credentials so that Burp Scanner can discover and audit content that is only accessible to authenticated users. Importing full login sequences even enables Burp Scanner to handle more complex login mechanisms, including single sign-on.

Launching scans

Scans can be launched in a variety of ways:

  • Scan from specific URLs. This performs a scan by crawling the content within one or more provided URLs, and optionally auditing the crawled content. To do this, go to the Burp Dashboard, and click the 'New scan' button. This will open the scan launcher which lets you configure details of the scan.
  • Scan selected items. This lets you perform an audit-only scan (no crawling) of specific HTTP requests. To do this, select one or more requests anywhere within Burp, and select 'Scan' from the context menu. This will open the scan launcher which lets you configure details of the scan.
  • Live scanning. You can use live scans to automatically scan requests that are processed by other Burp tools, such as the Proxy or Repeater tools. You can configure precisely which requests are processed, and whether they should be scanned to identify content or audit for vulnerabilities. To do this, go to the Burp Dashboard, and click the 'New live task' button. This will open the live scan launcher which lets you configure details of the task.
  • Instant scanning. You can also launch instant active or passive scans from the context menu. This means you can quickly check for vulnerabilities without having to open the scan launcher. You can access these options by right-clicking on a request. Alternatively, you can configure hotkeys for triggering instant scans.

Configuring scans

You can launch multiple scans in parallel, and each scan has its own configuration options that determine exactly how the scan is carried out. There are two key areas of configuration:

Burp scanner report

Burp Suite Automated Scanner Is Free To Use As A

  • Crawl options. These options control behavior like maximum link depth, how the crawler optimizes for speed versus coverage, and limits on the extent of the crawl. You can also enable or disable some of Burp Scanner's miscellaneous features, such as browser-powered scanning and API scanning.
  • Audit options. These options control behavior like the handling of insertion points and what detection methods are employed. These options are very important in controlling what type of audit activity will be performed, from a lightweight purely passive analysis through to a heavyweight invasive scan.

Monitoring scan activity

You can monitor the progress and results of a scan in various ways:

  • The Burp Dashboard shows metrics about the progress of each task, and the issue activity log shows the issues that are reported by all scanning tasks.
  • You can open the task details window for an individual scan, to view the issue activity log for only that scan, and a detailed view of the audit items for applicable tasks.
  • The Target site map shows all of the content and issues that have been identified, organized by domain and URL.

Reporting

Burp Suite Automated Scanner Is Free To Use

You can generate reports of issues found via Burp Scanner in HTML format. You can also export issues in XML format suitable for importing into other tools.

Burp Suite Automated Scanner Is Free To Use Without

Additional information

Burp Scanner Free

You can find addition information about specific topics on the following Support pages: