Research Academy
My account Customers About Blog Careers Legal Contact Resellers

PROFESSIONAL

Setting the scan scope in Burp Suite Professional

  • Last updated: July 6, 2023

  • Read time: 4 Minutes

The Scan details section of the scan launcher enables you to select the scan type, and the details of what will be scanned.

Scan type

You can select from the following scan types:

  • Crawl and audit - This performs a crawl from one or more starting URLs, and then audit the discovered content for vulnerabilities.
  • Crawl - Performs a crawl from one or more starting URLs.
  • Audit selected items - This option is only available for scans initiated by selecting one or more requests/responses within Burp, and clicking Scan on the context menu.

Depending on the scan type selected, the scan launcher shows options for the scope of the scan or the individual items to be scanned.

URLs to scan

This section is displayed for Crawl and audit and Crawl scan types. You can configure one or more start URLs from which Burp will start the crawl. Burp Scanner follows any links from these URLs into the application. For more information on how Burp Scanner uses start URLs when crawling a site, see the Crawling page of the Scanner documentation.

By default, the scope of the crawl is restricted to the configured URLs, ending with the final directory (if any). For example, if you specify a start URL of https://example.org/myapp/welcome.php, the crawler begins at this URL and crawls content within the path https://example.org/myapp/.

Note

Burp identifies the final directory based on the final slash (/) in the URL. For example, if you enter https://example.org/myapp/myfolder, all content within the path https://example.org/myapp/ is considered in-scope. To limit the scope to the myfolder directory, you would need to enter https://example.org/myapp/myfolder/.

You can override the default behavior and provide a different scope configuration by opening the Detailed scope configuration toggle. This enables you to define the scope of the crawl using either URL prefixes or advanced matching rules, as for Burp's Target scope. Note that you still need to specify the URLs to scan, since these are the starting points for the crawl, and the URLs to scan must fall within the defined scope.

Wildcards

You can use wildcards when you set a simple scope using URL prefixes. This enables you to simplify your list of in-scope URLs.

For example, you can use wildcards to quickly and easily add all subdomains of the target domain to scope:

  • *.example.com - This matches any subdomains of example.com. For example, www.example.com and abc.example.com. It doesn't match example.com itself.
  • *example.com - This matches any subdomains of example.com, as well as example.com itself.

The wildcard can only be used at the beginning of the hostname section of the URL.

Note

Wildcards are not supported in the URLs to scan field.

When using advanced scope control, * has its usual regex language meaning.

Fragment handling

For scans using Burp's browser, Burp accepts URLs with fragments (#). This enables Burp Scanner to handle client-side routing found in React apps and single-page applications. However, the legacy crawling engine does not support URL fragments. If browser-powered scanning is disabled in your scan configuration, you cannot include a fragment in any start URLs.

If you attempt to include a URL fragment with browser-powered scanning disabled, an error message appears. To do this, go to the Miscellaneous crawl settings of your scan configuration and use the drop-down menu to enable Use Burp's browser for Crawl and Audit.

Protocol settings

Specifying the protocol for each URL is optional. To control which protocols are used to scan your URLs, select one of the following options:

  • Scan using HTTP & HTTPS - When this option is selected, all of your URLs are scanned using both HTTP and HTTPS, regardless of whether you explicitly specified a protocol in the list of URLs.
  • Scan using my specified protocols - When this option is selected, Burp Scanner scans the URLs using the protocols that you specify. For example, if you only include the URL http://example.org, the URL https://example.org is not scanned. Any URLs for which no protocol is specified are still scanned using both HTTP and HTTPS.

Note

If Burp identifies that the content at a given location is the same for both protocols then it only scans that location once, even if you choose to scan using both HTTP and HTTPS.

Items to scan

This section is displayed for the Audit selected items scan type. The URLs of the selected items are listed. Note that the same URL appears more than once if there are multiple requests to the same URL with different parameters.

Where you have a lot of items to scan, it is often useful to consolidate the selected items to improve the efficiency of the scan. Click Consolidate items to display a wizard that enables you to choose to remove certain items:

  • Duplicate items in the selection (those with matching URL and parameter names).
  • Out-of-scope items (based on the current suite scope).
  • Items with no parameters.
  • Items with specific file extensions.

For each option, Burp shows the number of affected items. Any options that would result in none or all of the items being removed are unavailable.

The consolidation wizard then displays the full list of items that will be scanned. You can double-click any item in the list to view the full request and response. You can also remove any further items that you do not wish to scan manually.

Was this article helpful?