Using custom scan configurations in Burp Suite Professional

Scan configurations are collections of settings that define how a scan is performed. You can create and use custom scan configurations for both web application and API scans, giving you fine-grained control over Burp Scanner's behavior.

You can use custom configurations in several ways:

• Use one of the configurations from the configuration library.
• Create an entirely new configuration.
• Import a configuration from another installation of Burp.

You can select multiple configurations for a single task. Burp applies the selected configurations in order. This enables you to fine-tune scanning behavior. To move the configurations, use the Up and Down buttons. You can also Edit and Delete any configuration.

Using a configuration from the library

To load a configuration from the configuration library, click Select from library then choose your configuration. You can filter by Built-in and Custom configurations.

• Built-in configurations - Burp's predefined configurations.
• Custom configurations - Configurations that you have created from scratch.

Creating a new configuration

To create a new scan configuration:

1. Click New and select either Crawling or Auditing.
2. Enter a unique Configuration name.
3. Expand the sections on the page to edit the settings for the configuration. The dialog shows settings relevant to the chosen function.
4. To add your new configuration to the configuration library, select Save to library.
5. Click Save.

Importing a configuration

To import a configuration, click Import and select a JSON configuration file. This enables you to use scan configurations that you have exported from another installation of Burp.

Combining custom scan configurations in Burp Suite Professional

Both Burp Suite Enterprise Edition and Burp Suite Professional enable you to combine configurations together. This includes the built-in custom configurations, and any custom configurations that you create. Combining configurations enables you to tune Burp Scanner's behavior for certain sites and use cases.

Your selected configurations are added to a list. Burp Scanner works down the list of configurations, applying settings in list order. Settings at the bottom of the list take precedence.

If you edit one setting in a collapsible section, then all of the settings in that section override all of the settings in the equivalent section from configurations higher in the list.

For example, if your bottom configuration edits the Audit speed setting from the Audit Optimization section, then Burp Scanner uses all of the Audit Optimization settings from that configuration.

This table shows a part of three selected configurations, which combine with each other when the site is scanned. The edited sections are different for each configuration.

The configurations combine as follows:

• All three configurations have edited settings in the Crawl Optimization section. Burp Scanner takes its Crawl Optimization settings from Config 3, as this is at the bottom of the list.
• Only Config 1 has edited settings in the Crawl Limits section, so Burp Scanner uses these settings.
• Both Config 1 and Config 2 have edited settings in the Login Functions section. Burp Scanner takes its Login Functions settings from Config 2, as this is lower in the list.