Burp Suite Scan Configuration

TL;DR

This guide explains the key options in Burp Suite’s Active Scanner wizard to help you configure effective web application security scans.

1. Scan Type Selection

1. Crawl and Audit: This is the most common option. Burp will first explore (crawl) your target website, then automatically scan for vulnerabilities.
2. Audit Selected Items: Use this if you already have a list of specific URLs or requests to test. You’ll need to manually add these items before running the scan.

2. Define Scope

The scope tells Burp which parts of your website to include in the scan.

1. Use current project scope: This uses any scope you’ve already defined within Burp Suite.
2. Specify a new scope: Enter URLs or URL patterns to define the target. Be careful not to include external websites unless you have permission! For example:

   https://www.example.com/*

3. Common Scan Configurations

These settings control how Burp performs its tests.

1. Scan Accuracy: Higher accuracy means more thorough testing but takes longer.
   • Optimized: A good balance of speed and coverage (recommended for most scans).
   • Deep: The most comprehensive, slowest option. Use this when you need to find every possible issue.
2. Insertion Points: Where Burp tries injecting payloads.
   • All insertion points: Tests everything (recommended).
   • User-supplied forms and parameters: Focuses on areas where users provide input.

4. Live Scanning Options

Controls how Burp interacts with the target while scanning.

1. Concurrent Requests: How many requests Burp sends at once.
   • Higher numbers are faster but can overload the server. Start low (e.g., 5-10) and increase gradually if your server can handle it.
2. Request Throttling: Delays between requests to avoid overwhelming the server.
   • A delay of 2 seconds is a good starting point. Adjust based on server performance.

5. Spider Options (if crawling)

Controls how Burp explores the website.

1. Maximum Depth: How many links deep to follow.
   • A depth of 2-3 is usually sufficient for most websites.
2. Spidering Media Content: Whether to crawl files like images and videos.
   • Generally, disable this unless you specifically need to test media files.

6. Resource Pool

Advanced option for controlling how Burp uses its resources.

Leave the default settings unless you have a specific reason to change them.

7. Scan Triggering

1. Start scan: Click this button to begin the active scan.