d4rtht3ll3ctus' root vault

Burp Scanner

3 min read

An essential feature of web proxy tools is their web scanners. Burp Suite comes with Burp Scanner, a powerful scanner for various types of web vulnerabilities, using a Crawler for building the website structure, and Scanner for passive and active scanning.

To start a scan in Burp Suite, we have the following options:

  1. Start scan on a specific request from Proxy History
  2. Start a new scan on a set of targets
  3. Start a scan on items in-scope

The Target Scope can be utilized with all Burp features to define a custom set of targets that will be processed. Burp also allows us to limit Burp to in-scope items to save resources by ignoring any out-of-scope URLs.

If we go to (Target>Site map), it will show a listing of all directories and files burp has detected in various requests that went through its proxy:

To add an item to our scope, we can right-click on it and select Add to scope:

We may also need to exclude a few items from scope if scanning them may be dangerous or may end our session ‘like a logout function’. To exclude an item from our scope, we can right-click on any in-scope item and select Remove from scope

Finally, we can go to (Target>Scope) to view the details of our scope. Here, we may also add/remove other items and use advanced scope control to specify regex patterns to be included/excluded.

Crawler

Once we have our scope ready, we can go to the Dashboard tab and click on New Scan to configure our scan, which would be automatically populated with our in-scope items:

We see that Burp gives us two scanning options: Crawl and Audit and Crawl

 A Crawl scan only follows and maps links found in the page we specified, and any pages found on it. It does not perform a fuzzing scan to identify pages that are never referenced, like what dirbuster or ffuf would do. This can be done with Burp Intruder or Content Discovery, and then added to scope, if needed.

 Application login tab. In this tab, we can add a set of credentials for Burp to attempt in any Login forms/fields it can find. We may also record a set of steps by performing a manual login in the pre-configured browser, such that Burp knows what steps to follow to gain a login session. This can be essential if we were running our scan using an authenticated user, which would allow us to cover parts of the web application that Burp may otherwise not have access to.

Passive Scanner

Active Scanner

  1. It starts by running a Crawl and a web fuzzer (like dirbuster/ffuf) to identify all possible pages

  2. It runs a Passive Scan on all identified pages

  3. It checks each of the identified vulnerabilities from the Passive Scan and sends requests to verify them

  4. It performs a JavaScript analysis to identify further potential vulnerabilities

  5. It fuzzes various identified insertion points and parameters to look for common vulnerabilities like XSS, Command Injection, SQL Injection, and other common web vulnerabilities

Graph View