Burp Suite’s scan profiles are not just about choosing what to scan for; they’re about how you want to scan, letting you tailor the aggression, scope, and even the type of tests Burp runs against a target.
Let’s see this in action. Imagine you’re testing a small, internal API that you know is pretty stable. You don’t want to hammer it with every possible attack vector, and you’re primarily concerned with common injection flaws and broken authentication.
Here’s a simplified scan_profile.json you might create:
{
"name": "Internal API - Quick Scan",
"description": "Focuses on common injections and auth flaws for internal APIs.",
"insertion_points": {
"all": true,
"parameters": {
"all": true,
"values": []
},
"headers": {
"all": true,
"values": []
},
"body": {
"all": true,
"values": []
},
"cookies": {
"all": true,
"values": []
}
},
"attacks": {
"audit_issues": [
"SQL injection",
"Cross-site scripting",
"Command injection",
"XML external entity injection",
"Server-side request forgery"
],
"audit_attack_strategies": [
"attack_sql_injection",
"attack_xss",
"attack_command_injection",
"attack_ssrf",
"attack_xml_entity_injection"
],
"audit_insertion_point_strategies": [
"insertion_point_body_parameters",
"insertion_point_url_parameters",
"insertion_point_cookies",
"insertion_point_headers"
]
},
"scan_speed": "normal",
"scan_accuracy": "normal",
"threads_per_host": 20,
"time_limit": 3600
}
This profile tells Burp to focus its automated scanning efforts. Instead of running every test Burp knows, it specifically targets SQL injection, XSS, command injection, SSRF, and XXE. It’ll inject these payloads into all standard locations: URL parameters, request bodies, cookies, and headers. We’ve also set a reasonable threads_per_host to avoid overwhelming the target and a time_limit to ensure it doesn’t run indefinitely.
The real power comes from understanding what each section controls. insertion_points dictates where Burp tries to inject its test data. attacks is the core: audit_issues lists the types of vulnerabilities you’re looking for, and audit_attack_strategies and audit_insertion_point_strategies map those issues to the specific testing techniques Burp employs. scan_speed and scan_accuracy are high-level dials for how aggressively Burp probes and how thoroughly it analyzes responses.
When you create a custom scan profile, you’re essentially crafting a blueprint for Burp’s active scanner. You’re not just saying "find me XSS"; you’re saying "find me XSS by injecting into these specific locations, using these particular fuzzing techniques, at this level of intensity, and stop after this amount of time." This granular control is what separates a superficial scan from a targeted, efficient assessment.
Consider the audit_attack_strategies and audit_insertion_point_strategies. These are internal Burp identifiers that map directly to how it constructs and sends requests. For example, attack_sql_injection might enable a suite of SQL-specific payloads and parsing logic, while insertion_point_body_parameters tells Burp to specifically target parameters found within the request body. You can even exclude specific insertion points if you know they’re not relevant or are prone to causing false positives.
The most surprising aspect of scan profiles is how they interact with Burp’s passive scanning. While active scans are about sending malicious-looking requests, passive scans analyze existing traffic for potential vulnerabilities without altering requests. A carefully crafted active scan profile can be used to reinforce passive findings. For instance, if passive scanning flags a potential XSS vulnerability in a Content-Type header, you can create an active scan profile that specifically targets header injection, allowing Burp to actively confirm the vulnerability.
You can import and export these profiles as JSON files, making it easy to share them with your team or reuse them across different projects.
The next step after defining detailed scan profiles is understanding how to leverage Burp’s event handlers to automate responses to these scans.