Security research, news and guidance

Burp Suite Tutorial – Scanner Tool

May 20, 2010  |  Written by Security Ninja  |   Application Security   |   8 Comments

Hi everyone,

I’m writing my final Burp Suite tutorial blog post today! This blog post will explain how to use the Scanner tool in the suite, to see tutorials for other Burp Suite tools please visit the links below:

Intruder tool

Repeater and Comparer tools

Sequencer tool

I’m going to be using the Damn Vulnerable Web Application again today to demonstrate the Scanner tool.

What is the Scanner tool?

The Burp Suite is a collection of tools for web application security testing which includes the Scanner tool (description taken from the Port Swigger website):

Scanner: Burp Scanner is a tool for performing automated discovery of security vulnerabilities in web applications. It is designed to be used by penetration testers, and to fit in closely with your existing techniques and methodologies for performing manual and semi-automated penetration tests of web applications.

Enabling the Burp Suite Proxy

To begin using the Burp Suite to test the Damn Vulnerable Web Application we must configure our web browser to use the Burp Suite as a proxy. The Burp Suite proxy will use port 8080 by default but you can change this if you want to.

You can see in the image below that I have configured Firefox to use the Burp Suite proxy for all traffic.

FF PRoxy

When you open the Burp Suite proxy tool and check that the proxy is running by clicking on the options tab:

Burp1

You can see that the proxy is using the default port:

Burp2

The proxy is now running and ready to use. You can see that the proxy options tab has quite a few items that we can configure to meet our testing needs. A lot of these items are out side of the scope of this tutorial.

The Burp Suite will now begin logging the requests and responses that pass through the proxy. I have browsed to the DVWA homepage and the Burp Suite proxy has captured the request and response:

Burp1

The Scanner tool will passively scan all traffic by default and we can see that it has already noticed that our password will be submitted in the clear:

Burp2

As with just about everything in the Burp Suite you can change this default behaviour by clicking on the live scanning tab.

Burp3

As you can see in the image above the Scanner tool will passively scan every request and response it sees. It won’t send any additional requests or try to exploit specific vulnerabilities such as SQL Injection until you tell it to. The Scanner tool can be configured to actively scan everything by default which means every web site you visit will be scanned.

The Scanner tool can also be configured to restrict its scanning (both active and passive) to the overall suite scope or a custom scope defined just for the Scanner tool.

The suite scope can be found by clicking on the target tab and then clicking on the scope tab. You can see that we currently have nothing in the suite scope:

Burp4

I want to scan the Damn Vulnerable Web Application in this tutorial so I need to add it to the scope. To add a site to the suite scope you need to click on the site map tab and right click the site you wish to add to the scope:

Burp5

The site will now be included in the suite scope:

Burp6

If you wanted to define a custom scope for the Scanner tool you can do that by clicking the use custom scope radio button on the live scanning tab:

Burp7

I have defined a custom scope for the active scanner as you can see below:

Burp8

We could start scanning the Damn Vulnerable Web Application now but let’s explore the Scanner tool options first.

The Scanner tool can be used without changing of the default options but you should always try to configure the options to optimise your scanning, don’t just point and click!

Burp9

Burp10

The attack insertion points will tell the Scanner tool where it should try to attack inputs. The Scanner tool can insert into seven different locations as you can see in the images above, the locations are explained below (descriptions taken from the Port Swigger website):

  • The values of URL, body and cookie parameters.
  • Parameter name – if selected, Burp adds an additional parameter to the request and places attacks into the name of this parameter, often detecting unusual bugs that are missed if only parameter values are tested.
  • HTTP headers – if selected, Burp places attacks into the User-Agent and Referer headers, often detecting issues like SQL injection or persistent XSS within logging functionality.
  • AMF string parameters – For requests in Action Message Format, Burp places attacks into any string-based data types within the message.
  • REST-style URL parameters – if selected, Burp places attacks into each directory or file name within the path portion of the URL.

The next option is the “use intelligent attack selection” option. This option allows the Scanner tool to perform or omit specific attacks based on the insertion points defined above and the content of the requests it sees (description taken from the Port Swigger website):

You can also tell Burp to use “intelligent attack selection”. This option causes Burp to perform or omit each type of server-side check based on the base value of each attack insertion point. For example, if a parameter’s value contains characters that don’t normally appear in filenames, Burp will skip file path traversal checks for this parameter. Using this option can considerably speed up your scans, with minimal risk of missing actual vulnerabilities that exist.

The next two options allow you to optimize your scanning by skipping server side injection attacks for specific parameters or even skip all testing for some parameters.

The Scanner tool can be configured to use many scanning threads at once or as little as one thread. This is useful if you are seeing poor test performance, timeouts etc because a high amount of threads can overwhelm poorly designed sites.

The final part of the options tab allows you to select the attack types that the scanner will use.

The Scanner tool is now configured to scan the Damn Vulnerable Web Application so let’s start the scan!

To being actively scanning the site you need to right click it in the site map and click on “actively scan this host”:

Burp11

I have used the spider function of the Burp Suite to ensure we are scanning more than just the logon page. The active scanning wizard window will popup when you click on the “actively scan this host” option:

Burp12

The wizard will allow you to remove items from the scan such as duplicate items or any items which have already been scanned.

The next step in the wizard is confirming the items to scan:

Burp13

If you click the “ok” button the active scan will start:

Burp14

Burp15

The results tab is updated dynamically during the scanning if any issues are found. The results of the Damn Vulnerable Web Application scan can be seen below:

Burp16

The results of the Damn Vulnerable Web Application scan shows why you cannot take a “point and click” approach to security testing. This is true regardless of the tool being used. The Scanner tool identified 114 XML Injection issues in the Damn Vulnerable Web Application but they are all false positives. To review a specific issue you can select it from the top right panel on the results tab as you can see below:

Burp17

The request and response can be viewed by clicking on the request and response tabs:

Burp18

Burp19

The Scanner tool added ]]>> to the /dvwa GET request and the response included the some XML. The Scanner tool has highlighted the XML in the response from the Damn Vulnerable Web Application as you can see in the second image above. We can see that this finding is a false positive so the Scanner tool allows us to change the severity and confidence rating of each issue. To change the severity and confidence of a particular issue right click it and click on set severity or set confidence:

Burp29

Burp21

I have changed the severity and confidence for this issue to False Positive and Certain:

Burp22

When you are happy with the issues found you can produce a report from the Scanner tool by right clicking the results in the left hand panel and clicking on “report selected issues”:

Burp23

The reporting wizard will popup and you can choose your reporting format, the level of detail to include in the report and the issue types to include in the report:

Burp24

Burp25

Burp26

Burp27

Burp28

I hope you have found this blog post useful and I’m always interested in hearing any feedback you have.

SN

This entry was posted on May 20, 2010 at 4:21 pm and is filed under Application Security . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

8 comments   >

  1. Andre Gironda says:

    It’s good to hear that I’m not the only one getting lots of XML injection false positives out of Burp Scanner.

  2. Pingback: Week 20 in Review – 2010 | Infosec Events

  3. Pingback: Week 20 in Review – 2010 | Portable Digital Video Recorder

  4. sriram says:

    HI pal,
    really it is very useful and gave good idea about the tool. Appreciation required for your effort. thanks.

  5. sriram says:

    Hi pal,
    really youdid a great job thanks for that. i got good idea about the tool.

  6. jems says:

    When I run the Burp Suite, my “scanner” tab is grayed out. ? Is this not available in the free edition?

  7. jems says:

    Ignore previous post. I see ‘scanner’ is not part of the Free Edition:

    http://portswigger.net/burp/download.html

  8. Clerkendweller says:

    Ah, that’s where the export report function is. Thanks.

Leave a comment

VIDEOS & SLIDESHARES

Look at our latest security Videos & SlideShares

EVENTS & SEMINARS

Upcoming Security Events & Seminars

PODCASTS & DOWNLOADS

Check out our Podcasts & White Papers