Support Center
Documentation
Contents
Enterprise
Professional
Community
Burp Suite documentation - contents
Documentation
Desktop editions
Getting started
Download and install
Intercepting HTTP traffic with Burp Proxy
Intercepting a request
Modifying requests in Burp Proxy
Step 1: Access the vulnerable website in Burp's browser
Step 2: Log in to your shopping account
Step 3: Find something to buy
Step 4: Study the add to cart function
Step 5: Modify the request
Step 6: Exploit the vulnerability
Setting the target scope
Reissuing requests with Burp Repeater
Sending a request to Burp Repeater
Testing different input with Burp Repeater
Running your first scan
Scanning a website
What next?
Continue your Burp Suite journey
Activate license
Manual activation
Generating a report
Mac installer
System requirements
CPU cores / memory
Free disk space
Operating system and architecture
Embedded browser
Running scans
Scanning web applications
Running a full crawl and audit
Step 1: Configure scan type
Step 2: Configure scan details
Step 3: Select a scan configuration
Step 4: Configure application logins (optional)
Step 5: Select a resource pool (optional)
Scanning specific HTTP messages
Configuring an audit of specific HTTP messages
Launching scans
Scanning APIs
Step 1: Configure scan type
Step 2: Upload API definition
Step 3: Review and configure the API details
Viewing and configuring authentication
Step 4: Select a scan configuration
Step 5: Select a resource pool
Configuring authentication
Detected authentication methods
Adding authentication methods
Basic authentication
Bearer token
API key / Custom token
Fixed API key / Custom token authentication method
Dynamic API Key / Custom token authentication method
Editing authentication credentials / methods
How Burp applies authentication credentials
Conflicts between manually added methods
Conflicts between detected methods and manually added methods
Live tasks
Types of live task
Live task scope
Scan configuration and resource pools
Creating live tasks
Task execution settings
Task auto-start
Resource pools
Viewing scan and live task results
Summary
Issues
Analyzing issue activity
Managing issues
Audit items
Audit phase indicators
Insertion points
Tree view
Nested insertion points
Insertion points information
Insertion point statuses
Event log
Audit log
Viewing audit activity
Analyzing audit log activity
Managing audit log items
Live crawl view
Reporting scan results
Manually creating issues for reports
To create an issue:
Adding multiple request and response pairs to an issue
To add request / response pairs to a manually created issue:
Report settings
Report format
Issue details
HTTP messages
Selecting issue types
Report details
Adding custom scan checks
Managing BChecks
Testing BChecks
Troubleshooting BChecks
Managing BChecks for a specific scan
Creating BChecks
Exporting BChecks
Testing BChecks
Running a BCheck test
Managing BCheck test cases
Configuring test scans
Configuring application logins
Adding usernames and passwords
Adding login credentials
Editing existing login credentials
Login functions
Adding recorded login sequences in Burp Suite Professional
Adding login sequences
Editing existing recorded logins
Managing application logins using the configuration library
Managing resource pools for scans
Creating new resource pools
Reassigning resource pools
Configuring scans
Using a configuration from the library
Creating a new configuration
Importing a configuration
Combining custom scan configurations in Burp Suite Professional
Setting the scan scope in Burp Suite Professional
URLs to scan
Fragment handling
Protocol settings
Advanced scan parameters
Items to scan
Testing workflow
Tutorials
Setting a test scope
Adding URLs to the scope
Excluding URLs from the scope
Mapping the website
Mapping the visible surface
Before you start
Steps
Discovering hidden content
Automated discovery
Before you start
Steps
Enumerating subdomains
Steps
Analyzing the attack surface
Scoping the effort to audit a website
Before you start
Steps
Identifying high-risk functionality
Before you start
Steps
Identifying supported HTTP methods
Before you start
Enumerating supported methods for a single endpoint
Enumerating supported methods for multiple endpoints
Checking for hidden inputs
Before you start
Steps
Evaluating inputs
Before you start
Steps
Manually evaluating individual inputs
Scanning inputs
Fuzzing inputs
Analyzing opaque data
Decoding data
Investigate opaque data with the Inspector
Investigate opaque data with Burp Decoder
Identifying which parts of a token impact the response
Steps
Testing authentication mechanisms
Enumerating usernames
Steps
Guessing usernames for known users
Steps
Brute-forcing passwords
Before you start
Running a dictionary attack
Running an exhaustive brute-force attack
Credential stuffing
Before you start
Steps
Brute-forcing logins
Before you start
Steps
Testing session management mechanisms
Analyzing session token generation
Before you start
Steps
Determining the session timeout
Steps
Generating a CSRF proof-of-concept
Steps
Working with JWTs
Before you start
Viewing JWTs
Editing JWTs
Adding a JWT signing key
Maintaining an authenticated session
Identifying an invalid login expression
Configuring a session handling rule
Checking the session handling rule
Testing access controls
Testing for IDORs
Steps
Testing for parameter-based access control
Before you start
Steps
Testing for privilege escalation
Before you start
Testing a specific endpoint
Testing across the entire site
Testing horizontal access controls
Before you start
Testing a specific endpoint
Testing across the entire site
Using match and replace rules
Step 1: Open the lab
Step 2: Attempt to access the admin panel
Step 3: Add a custom match and replace rule
Step 4: Try to access the admin panel again
Summary and next steps
Testing input validation
Bypassing client-side controls
Steps
SQL injection
Testing for SQL injection vulnerabilities
Steps
Scanning for SQL injection vulnerabilities
Manually fuzzing for SQL injection vulnerabilities
Cross-site scripting
Identifying reflected input
Steps
Scanning for reflected inputs
Identifying reflected input manually
Next steps
Testing for DOM XSS with DOM Invader
Before you start
Steps
Related pages
Testing for web message DOM XSS with DOM Invader
Before you start
Steps
Related pages
Testing for reflected XSS manually
Before you start
Steps
Related pages
Testing for stored XSS
Steps
Bypassing XSS filters
Before you start
Steps
Testing for blind XSS
Steps
Related pages
Testing for prototype pollution with DOM Invader
Before you start
Steps
OS command injection
Testing for command injection vulnerabilities
Steps
Scanning for command injection vulnerabilities
Manually testing for command injection vulnerabilities
Testing for asynchronous OS command injection vulnerabilities
Steps
Exploiting OS command injection vulnerabilities to exfiltrate data
Before you start
Steps
XXE injection
Testing for XXE injection vulnerabilities
Steps
Scanning for XXE vulnerabilities
Manually testing for XXE vulnerabilities
Testing for blind XXE injection vulnerabilities
Steps
Scanning for blind XXE injection vulnerabilities
Manually testing for blind XXE injection vulnerabilities
Testing for directory traversal vulnerabilities
Steps
Scanning for directory traversal vulnerabilities
Fuzzing for directory traversal vulnerabilities
Testing for clickjacking
Steps
Testing for SSRF vulnerabilities
Testing for SSRF
Steps
Testing for blind SSRF
Steps
Testing for WebSocket vulnerabilities
Manipulating WebSocket messages
Steps
Manipulating WebSocket handshakes
Steps
Working with GraphQL in Burp Suite
Viewing and modifying GraphQL requests
Accessing GraphQL API schemas using introspection
Complementing manual testing with Burp Scanner
Scanning specific requests
Scanning user-defined insertion points
Scanning a single insertion point
Scanning multiple insertion points
Scanning non-standard data structures
Store HTTP traffic for review
HTTP/2
Background concepts
Default protocol
Keeping track of which protocol you're using
Changing the protocol for a request
Kettled requests
What can cause a request to become kettled?
Unkettling a request
Kettled requests and extensions
HTTP/2 settings
Changing the default protocol
Repeater options for HTTP/2
Enforce protocol choice on cross-domain redirections
Enable HTTP/2 connection reuse
Strip Connection header over HTTP/2
Allow HTTP/2 ALPN override
Disabling HTTP/2 for proxy listeners
Upcoming enhancements for HTTP/2 in Burp
Increased support for kettled requests
Normalization
What normalization is performed?
Why can't I move the Host header?
Sending requests without any normalization
Performing HTTP/2-exclusive attacks
Injecting newlines into headers
HTTP/2 basics for Burp users
Binary protocol
Frames
Message length
Header capitalization
Pseudo-headers
External browser configuration
Check proxy listener is active
Configuring Chrome to work with Burp Suite - Windows
Configuring Chrome to work with Burp Suite - MacOS
Firefox
Safari
Check your browser configuration
Installing Burp's CA certificate
Installing Burp's CA certificate on a mobile device
Why do I need to install Burp's CA certificate?
In-browser interface
Chrome
Removing Burp's CA certificate from Firefox
Chrome
Installing Burp's CA certificate in Chrome - Windows
Removing the CA certificate from Windows
Installing Burp's CA certificate in Chrome - Linux
Removing the Burp Suite CA certificate
Installing Burp's CA certificate in Chrome - MacOS
Removing the Burp Suite CA certificate
Chrome
Removing Burp's CA certificate from Safari
Troubleshooting
Check that Burp is running
Check your proxy listener is active
Try a different port
What next?
Mobile testing
Configuring a mobile device
Troubleshooting for mobile devices
I can't access HTTPS URLs on iOS even after installing Burp's CA certificate
Configuring an iOS device to work with Burp Suite Professional
Step 1: Configure the Burp Proxy listener
Step 2: Configure your device to use the proxy
Step 3: Install a CA certificate on your iOS device
Step 4: Test the configuration
Configuring an Android device to work with Burp Suite Professional
Step 1: Configure a dedicated proxy listener in Burp
Step 2: Configure your device to proxy traffic through Burp
Step 3: Add Burp's CA certificate to your device's trust store
Step 4: Test the configuration
Extensions
Installing extensions
Installing extensions from the BApp Store
Requirements
Installing Jython or JRuby
Installing an extension from a file
Managing extensions
Monitoring system impact
Cumulative impact of extensions
Viewing requests sent by Burp extensions using Logger
Step 1: Send requests using an extension
Step 2: Go to the Logger tab
Step 3: Filter the log
Step 4: View individual requests
Summary
Creating
Useful resources for extension developers
Handling kettled HTTP/2 requests in extensions
Submitting extensions to the BApp Store
Step 1 - Check the acceptance criteria
Step 2 - Submit your extension
Step 3 - We review your extension
Updating your BApp
BApp Store acceptance criteria
Extender API examples (Legacy)
Bambdas
Creating Bambdas
Saving Bambdas
Loading Bambdas
Troubleshooting Bambdas
Compilation errors
Runtime errors
Submitting Bambdas to the community
Before you submit
Submitting Your Bambda
Review and merge
Project files
Opening an existing project file
Pause Automated Tasks
Trust this project file
Creating project files
Opening a project file
Managing project files
Saving a copy of a project
Saving the Burp Collaborator identifier
Importing project files
Recovering data from corrupted project files
Troubleshooting
Troubleshooting
Troubleshooting performance issues
Optimize memory usage
Disabling extensions
Allocating less memory to Burp
Using a disk-based project
Check the minimum system requirements
Identify potential bottlenecks: CPU, memory, and network
Optimize CPU usage
Disabling pretty printing
Disabling JavaScript analysis
Configuring your scans for performance
Narrowing the scope of your scans
Scanning a single protocol
Optimize network usage
Reducing concurrent scans
Configuring resource pools
Launch from the command line
Checking your Java version
Launching the Burp Suite JAR
Command line arguments
Setting Java options
Creating a user.vmoptions file
Specifying options
Customizing Burp's layout
Customizing Burp's top-level tabs
Arranging top-level tabs
Hiding top-level tabs
Restoring the default top-level tab layout
Customizing Burp's tables
Advanced table customization
Tools
Dashboard
Task list
Launching new tasks
Pausing and resuming running tasks
Disabling traffic capturing for live tasks
Bottom dock
Target
Site map
Accessing the site map
URL view
URL view icons
Contents pane
Requests and responses
Issues pane
Editing the Issues pane
Filtering the site map
Settings mode
Bambda mode
Site map annotations
Workflow tools
Add to scope / Remove from scope
Send to
Scan
Show response in browser
Record an issue
Request in browser
Engagement tools
Compare site maps
Add notes / Highlight
Expand / collapse branch / requested items
Delete items
Copy URLs
Copy as curl command
Copy links
Save items
Show new site map window
Site map layout
Contents and issues layout
Request and response layout
Adding a new site map window
Getting started
Tutorial
Step 1: Access the lab
Step 2: Go to the site map
Step 3: Update the site map
Step 4: Filter the displayed information
Step 5: Set the target scope using the site map
Filtering the site map with Bambdas
Example Bambda
Converting site map filter settings to Bambdas
Comparing site maps
Site map sources
Request matching
Response comparison
Comparison results
Viewing comparison results
Interpreting comparison results
Scope
URL-matching rules
Normal scope control
Advanced scope control
Crawl paths
Accessing the Crawl paths view tab
Viewing crawl paths
Example crawl path
Viewing HTTP requests
Viewing issues
Viewing outlinks
Manual Application mapping
Reviewing unrequested items
Analyzing the attack surface
Issue definitions
Burp's browser
Manual testing with Burp's browser
Scanning websites with Burp's browser
Health check for Burp's browser
Burp Proxy
Proxy intercept
Getting started
Controls
Intercepted messages table
Adding annotations
Message display
Protocol
HTTP history
Changing the HTTP history layout
Viewing a request
Adding a custom column
Filter settings
Settings mode
Bambda mode
Adding annotations
Bambdas
Example Bambda
Converting HTTP history filter settings to Bambdas
WebSockets history
Changing the WebSockets history layout
Viewing a request
Adding a custom column
Filter settings
Settings mode
Bambda mode
Adding annotations
Bambdas
Example Bambda
Converting filter settings to Bambdas
Match and replace
Adding a match and replace rule
Settings mode
Bambda mode
Testing HTTP match and replace rules
Using regex syntax
Matching multi-line regions
Using regex groups in back-references and replacement strings
Managing CA certificates
Exporting and importing the CA certificate
Creating a custom CA certificate
Invisible proxying
Intruder
Getting started
Tutorial
Step 1: Access the lab
Step 2: Try to log in
Step 3: Set the payload position
Step 4: Select an attack type
Step 5: Add the payloads
Step 6: Start the attack
Step 7: Look for any irregular responses
Step 8: Study the response
What next?
Learn more about Burp Intruder
Configure attack
Positions
Attack types
Sniper attack
Battering ram attack
Pitchfork attack
Cluster bomb attack
Payload types
Payload configuration
Simple list
Runtime file
Custom iterator
Character substitution
Case modification
Recursive grep
Illegal Unicode
Character blocks
Numbers
Dates
Brute forcer
Null payloads
Character frobber
Bit flipper
Username generator
ECB block shuffler
Extension-generated
Copy other payload
Collaborator payloads
Payload lists
Using predefined payload lists
Placeholders
Processing placeholders
Processing
Configuring processing rules
Types of processing rules
Configuring payload encoding
Resource pools
Creating resource pools
Resource pool settings
Moving tasks between resource pools
Settings
Save attack
Request headers
Error handling
Attack results
Auto-pause attack
Grep - match
Grep - extract
Grep - payloads
Redirections
HTTP/1 connection reuse
HTTP version
Managing tabs
Results
Editing attacks
Saving results
Closing attacks
Viewing results
Viewing a request
Analyzing results
Filtering results
Capture filter
Capture filter settings
Managing the capture filter settings
View filter
View filter settings
Managing the view filter settings
Workflow
Add payload position
Clear payload positions
Scan
Send to...
Show response in browser
Record an issue
Request in browser
Generate CSRF PoC
Add to site map
Request item again
Define extract grep from response
Copy as curl command
Add comment
Highlight
Copy links
Save item
Uses
Enumerating identifiers
Step 1: Find a request
Step 2: Set a payload position
Step 3: Set a payload type
Step 4: Analyze the results
Use cases
Harvesting data
Step 1: Find a request
Step 2: Set a payload position
Step 3: Set a payload type
Step 4: Set an extract grep
Step 5: Analyze the results
Use cases
Fuzzing
Step 1: Set the payload positions
Step 2: Set the payload type
Step 3: Set the match grep
Step 4: Analyze the results
Repeater
Working with HTTP messages
HTTP Repeater tab
Adding notes for HTTP Repeater tabs
Sending grouped HTTP requests
Sending requests in sequence
Sending over a single connection
Sending over separate connections
Send in sequence prerequisites
Sending requests in parallel
Send in parallel prerequisites
Working with WebSocket messages
WebSocket Repeater tab
Managing tabs
Tab groups
Managing tab groups
Creating a new tab group
Editing existing groups
Closing tab groups
Configuring tab-specific settings
Sequencer
Getting started
Token sample
Configuring a live capture of tokens
Selecting a token location
Manually loading tokens
Live capture
Results
Summary
Overall result
Effective entropy
Reliability
Sample
Analysis result tabs
Individual tests
Character set
Bit conversion
Analysis settings tab
Tests
How the tests work
Character-level tests
Character count analysis
Character transition analysis
Bit-level analysis
FIPS test results
FIPS monobit test
FIPS poker test
FIPS runs test
FIPS long runs test
Spectral tests
Correlation test
Compression test
Decoder
Carrying out transformations
Operations
Comparer
Carrying out comparisons
Controls
Results
Logger
Getting started with Logger
Step 1: Access the lab
Step 2: View requests on the Logger tab
Step 3: Audit a request with Burp Scanner
Step 4: Examine the requests made by Burp Scanner
Step 5: Filter the log
Step 6: Disable and clear the Logger history
Learn more about Logger
Working with Logger entries
Viewing log entries
Adding a custom column
Example Bambda
Viewing requests and responses
Filtering Logger entries
Capture filter
View filter
Annotating log entries
Logger workflow tools
Logger capture filter
Settings mode
Capture limit
Capture by request type
Capture by MIME type
Capture by status code
Capture by tool
Capture by search term
Session handling
Limit request/response size
Bambda mode
Converting filter settings to Bambdas
Logger view filter
Settings mode
Filter by request type
Filter by MIME type
Filter by status code
Filter by tool
Filter by search term
Filter by file extension
Filter by annotation
Bambda mode
Example Bambda
Converting filter settings to Bambdas
Task Logger
Inspector
Configuring the Inspector layout
Request attributes
Viewing HTTP message data in the Inspector
Automatic decoding
HTTP/2 headers and pseudo-headers
Selecting a substring
Modifying requests
Adding new items to a request
Removing items from a request
Reordering items in a request
Editing the name or value of an item
Injecting newlines
Injecting other non-printing characters
Copying items from the Inspector
Getting started with the Inspector
Tutorial
Step 1: Access the lab
Step 2: Log in to a user account
Step 3: Use the Inspector to examine the request
Step 4: Use the Inspector to edit the cookie
Step 5: Using the selection widget
Learn more about the Inspector
Collaborator
Generating payloads
Viewing results
Exporting results
Getting started
Step 1: Access the lab
Step 2: Browse the target site
Step 3: Send an interesting request to Repeater
Step 4: Inject a Collaborator payload into the request
Step 5: Poll for interactions
Summary
What next?
DOM Invader
Key features
Testing for DOM XSS
Injecting a canary
Injecting a canary into multiple sources
Identifying controllable sinks
Determining the XSS context
Studying the client-side code
Testing for DOM XSS using web messages
Enabling web message interception
Identifying interesting web messages
Automated web message analysis
Message details
Origin accessed
Data accessed
Source accessed
Replaying web messages
Generating a proof of concept
Testing for client-side prototype pollution
Enabling prototype pollution
Detecting sources for prototype pollution
Manually confirming sources for prototype pollution
Scanning for prototype pollution gadgets
Generating a proof-of-concept exploit
Testing for DOM clobbering
Enabling DOM clobbering
Enabling DOM Invader
Settings
Main
Enable DOM Invader
Postmessage interception
Customizing sources and sinks
Attack types
Prototype pollution
DOM clobbering
Web message settings
Postmessage origin spoofing
Canary injection into intercepted messages
Filter messages with duplicate values
Generate automated messages
Detect cross-domain leaks
Prototype pollution settings
Scan for gadgets
Auto-scale amount of properties per frame
Scan nested properties
Query string injection
Hash injection
JSON injection
Verify onload
Remove CSP header
Remove X-Frame-Options header
Scan each technique in separate frame
Disabling prototype pollution techniques
Misc
Message filtering by stack trace
Auto-fire events
Redirection prevention
Add breakpoint before redirect
Inject canary into all sources
Configuring callbacks
Remove Permissions-Policy header
Canary
Copying the canary
Changing the canary
Clickbandit
Setting up Burp Clickbandit
Running an attack
Reviewing an attack
Message editor
Message analysis toolbar
Raw tab
Pretty tab
Hex tab
Render tab
GraphQL tab
Additional tabs
Extension-specific tabs
Actions menu
Other ways of using the message editor
HTTP/2 messages in the message editor
Context-specific actions
Record an issue
Text editor
Syntax analysis
Pretty printing
Uninteresting headers
Line-wrapping
Non-printing characters
Text editor hotkeys
Quick search
Engagement tools
Content discovery
Control tab
Config tab
Target
Filenames
File extensions
Discovery engine
Site map tab
Target analyzer
Generate CSRF PoC
CSRF PoC options
Manual testing simulator
Search
Text search
Find comments and scripts
Find references
Infiltrator
How Burp Infiltrator works
Installing Burp Infiltrator
Non-interactive installation
Configuration options
Organizer
Sending messages to Organizer
Organizer table
Viewing HTTP messages
Annotating items
Filtering items
Context menu
Menu options
Filter settings
Filter settings
Managing the filter settings
Settings
User and project settings
Finding settings
Managing settings
Settings pages
Key settings
Target scope
Platform-level authentication
Session handling rules and macros
Schedule tasks
HTTP message appearance
Tools
Proxy
Proxy listeners
Binding
Request handling
Certificate
TLS Protocols
HTTP
Request and response interception rules
Adding an interception rule
Modifying intercepted messages
WebSocket interception rules
Response modification rules
HTTP and WebSocket match and replace rules
TLS pass through
Adding TLS passthrough targets
Applying TLS passthrough to out-of-scope items
Default Proxy history message display
Proxy history logging
Default Proxy interception state
Miscellaneous
Intruder
Default Intruder side panel layout
Automatic payload placement
New tab configuration
Behavior when closing result windows
Payload list location
Repeater
Connections
Message modification
Redirects
Follow redirects
Process cookies in redirects
Use selected protocol for cross-domain redirects
Default tab group
Tab view
Sequencer
Live capture
Token handling
Token analysis
Burp's browser
Browser data
Browser running
Project
Scope
Target scope
Out-of-scope request handling
Collaborator
Tasks
Resource pools
New task auto-start
Schedule tasks
Automatic backup
Logging
Sessions
Session handling overview
Session handling rules
Session handling tracer
Cookie jar
Macros
Session handling rule editor
Rule description
Rule actions
Use cookies from the session handling cookie jar
Set a specific cookie or parameter value
Check session is valid
Make requests to validate session
Inspect responses to determine session validity
Define behavior dependent on session validity
Run a macro to obtain a new valid session
Prompt for in-browser session recovery
Run a post-request macro
Invoke a Burp extension
Set a specific header value
Tools scope
URL scope
Parameter scope
Macros
Record macro
Configure item
Parameter handling
Custom parameter locations in response
Re-analyze macro
Test macro
Network
Connections
Platform authentication
Timeouts
Upstream proxy servers
SOCKS proxy
TLS
TLS negotiation
Client TLS certificates
Server TLS certificates
Java TLS settings
HTTP
Allowed redirect types
Streaming responses
Status 100 response handling
HTTP/1
HTTP/2
DNS
Preferred IP version for DNS resolution
Hostname resolution overrides
UI
Side panel
Default side panel layout
Inspector widgets
Message editor
Message editor request and response views
HTTP message display
Character sets
HTML rendering
HTTP message search
Uninteresting headers
Hotkeys
Display
Appearance
Learn tab display
Scaling
Suite
REST API
Enabling the REST API
Service URL
API key
Updates
Becoming an early adopter
Performance feedback
Logging exceptions to a local directory
Temporary files location
Startup behavior
Automated tasks on startup
Untrusted project files
Maximum Java memory usage
Shutdown behavior
Shutdown confirmation
Extensions
Startup behavior
Java environment
Python environment
Ruby environment
Configuration library
Adding a custom configuration
Configuration files
Response extraction rules
Dastardly
Scanning
Scan length limit
Results
Build failures
Integrating Dastardly with your existing CI/CD platform
Dastardly system and network requirements
Troubleshooting Dastardly
Jenkins
Jenkins server requirements
Configuring the Jenkins pipeline
Creating the Jenkinsfile
Viewing Dastardly scan results in Jenkins
GitHub Actions
TeamCity
TeamCity agent requirements
Creating the settings file
Configuring the TeamCity pipeline
Viewing Dastardly scan results in TeamCity
Platform independent
Dastardly scan results
FAQs
Authentication
Browser sandbox
Scanning APIs
Scanner
How do scans work?
Crawling
Core approach
Session handling
Detecting changes in application state
Authenticated scanning
Application login credentials
Crawling volatile content
Crawling with Burp's browser
Viewing crawl paths
Auditing
Audit phases
Issue types found
Insertion points
Encoding data within insertion points
Nested insertion points
Modifying parameter locations
Audit prioritization
Interest level
Attack surface exposure
Prioritization process
Automatic session handling
Avoiding duplication
Consolidation of frequently occurring passive issues
Handling of frequently occurring insertion points
JavaScript analysis
Handling application errors
Scan configurations
Preset scan modes
Setting preset scan modes for folders
Custom scan configurations
Scan configuration structure
Combining custom configurations
Setting scan configurations for folders
Built-in configurations
Audit checks - all except JavaScript analysis
Audit checks - all except time-based detection methods
Audit checks - BChecks only
Audit checks - critical issues only
Audit checks - extensions only
Audit checks - light active
Audit checks - medium active
Audit checks - passive
Audit coverage - maximum
Audit coverage - thorough
Crawl and Audit - Balanced
Crawl and Audit - CICD optimized
Crawl and Audit - Deep
Crawl and Audit - Fast
Crawl and Audit - Lightweight
Crawl limit - 10 minutes
Crawl limit - 30 minutes
Crawl limit - 60 minutes
Crawl strategy - faster
Crawl strategy - fastest
Crawl strategy - more complete
Crawl strategy - most complete
Minimize false negatives
Minimize false positives
Never stop audit due to application errors
Never stop crawl due to application errors
Audit options
Audit optimization
Issues reported
Handling application errors during audit
Insertion point types
Modifying parameter locations
Ignored insertion points
Frequently occurring insertion points
Misc insertion point options
Nested insertion points
JavaScript analysis options
Audit project option overrides
Crawl options
Crawl optimization
Crawl strategy
Crawl limits
Login functions
Handling application errors during crawl
Crawl project option overrides
Miscellaneous crawl settings
Burp's browser options
Browser-powered scanning
Use cases for browser-powered scanning
Authenticated scanning
Login credentials
How does Burp Scanner use login credentials?
Login settings
Identifying login and registration forms
Why is Burp Scanner not filling in my login forms?
Recorded login sequences
Using recorded login sequences
Best practice for recording login sequences
Limitations of recorded login sequences
Tips for recording successful login sequences
Troubleshooting recorded login sequences for Burp Suite Enterprise Edition
Recording login sequences
Preparing the Burp Suite Navigation Recorder extension
Using the extension without incognito mode
Recording a login sequence
Adding recorded login sequences to Burp
Troubleshooting recorded login sequences
Requirements for API scanning
Starting an API scan
Incidental API scanning
API definition requirements
API endpoint requirements (OpenAPI only)
Endpoint testing rules
Crawling GraphQL APIs
Scanning single-page apps
Configuring scans of SPAs
Crawl strategy
Routing fragments
Non-standard clickable elements
Burp Scanner error reference
Burp Scanner errors in Burp Suite Professional
Burp Scanner errors in Burp Suite Enterprise Edition
Vulnerabilities list
BCheck definitions
Managing BChecks in Burp Suite Professional
Managing BChecks in Burp Suite Enterprise Edition
BCheck definition reference
Metadata
Control flow
Conditionals
Actions
Issue naming
Issue consolidation
Reserved variables
Functions
Combining functions
Misc
Strings
Character escaping
Regex
Comments
Special characters
BCheck structure
Worked examples
In this section
Example host check
Step 1: Add metadata
Step 2: Configure potential paths
Step 3: Configure the request
Step 4: Report issues
Example path check
Step 1: Add metadata
Step 2: Configure file extensions
Step 3: Configure the request
Step 4: Report issues
Example passive check
Step 1: Add metadata
Step 2: Add a string for the check to match
Step 3: Report the issue
Test this BCheck
Example insertion point check
Step 1: Add metadata
Step 2: Define the calculation
Step 3: Send the request
Step 4: Report issues
Example Collaborator-based check
Step 1: Add metadata
Step 2: Configure the request
Step 3: Analyze the results
Test this BCheck
Example Log4Shell check
Step 1: Add metadata
Step 2: Declare variables
Step 3: Send the request
Step 4: Send a follow-up request
Step 5: Report issues
Example server-side prototype pollution check
Step 1: Add metadata
Step 2: Declare variables
Step 3: Attempt to inject SSPP
Step 4: Force an error to check for SSPP
Step 5: Evaluate results and send follow-up request
Step 6: Do a second check for SSPP
Step 7: Report issues
Test this BCheck
Submitting BChecks to the community
Step 1 - Check the submission guidelines
Step 2 - Make a pull request
Step 3 - We review your BCheck
Burp Collaborator
Uses
External service interaction
Out-of-band resource load
Blind SQL injection
Blind cross-site scripting
Server
Private or public server
Deploying a private server
General setup
Setting up the domain and DNS records
Setting up the ports and firewall
Setting up your server resources
Setting up the configuration file
Launching the Collaborator server
Health check and troubleshooting
Basic setup
Example configuration file
Configuration file fields
Alternative configuration fields:
Configuring your private server
Configure TLS certificates
Add a polling interface
Use CNAME settings
Truncate interaction messages
Collect usage metrics
Log interaction information
Add custom HTTP content
Add custom DNS records
Troubleshooting
Collaborator health check
Server domain resolution
Data security
Data storage
Data retrieval
Collaborator-based email addresses
Contents
Results