Burp Scanner doesn’t just find vulnerabilities; it discovers them by acting like a persistent, automated, and incredibly thorough attacker.
Let’s see it in action. Imagine we have a simple web app with a known SQL injection flaw.
<!-- Vulnerable parameter: 'id' -->
<a href="/products?id=1">View Product</a>
We point Burp Scanner at http://example.com/products?id=1.
First, Burp’s spider crawls the site, mapping out its structure. It follows links, submits forms, and identifies all the potential attack surfaces.
Then, the scanner kicks in. It takes each identified request and starts bombarding it with payloads. For our SQL injection example, it’s not just trying ' OR '1'='1' --, but thousands of variations, each designed to elicit a specific response that indicates a vulnerability. It checks for:
- SQL Injection: Sending malformed SQL queries to see if the database returns errors or unexpected data.
- Cross-Site Scripting (XSS): Injecting JavaScript to see if it executes in the browser.
- Command Injection: Trying to execute operating system commands.
- Path Traversal: Attempting to access files outside the web root.
- Insecure Direct Object References (IDOR): Manipulating parameters to access unauthorized data.
- Server-Side Request Forgery (SSRF): Forcing the server to make requests to arbitrary external resources.
Burp Scanner uses a sophisticated engine that understands the context of the request. It won’t just blindly throw payloads at every parameter. It analyzes the response – looking for specific error messages, time delays, content changes, or status codes that signal a successful exploit. It’s like having a penetration tester who never sleeps and has an encyclopedic knowledge of attack vectors.
The core problem Burp Scanner solves is the sheer scale and complexity of modern web applications. Manually testing every endpoint, every parameter, and every possible input for every known vulnerability is practically impossible for any team. Burp Scanner automates this tedious but critical process, allowing security teams to focus on more complex, nuanced attacks and remediation.
Internally, Burp Scanner operates in several phases:
- Discovery: The spider finds all accessible content and functionality.
- Attack Surface Analysis: It identifies potential injection points (parameters, headers, cookies, JSON/XML bodies).
- Payload Generation: Based on the identified injection points and known vulnerability types, it crafts a massive library of test payloads.
- Execution: It sends these payloads to the target application, often in parallel.
- Analysis: It meticulously analyzes the application’s responses for indicators of vulnerability.
- Reporting: It categorizes, prioritizes, and presents findings in a clear, actionable report.
The real power lies in its extensibility. You can configure scan speed, scope, and even write custom active scan checks using Burp Suite’s extension API. This means you can tailor Burp Scanner to your specific application’s technology stack and security requirements.
One of the most overlooked aspects of Burp Scanner’s effectiveness is its ability to handle complex, multi-step attacks. For instance, it can chain together a session hijacking vulnerability with an XSS vulnerability to demonstrate a full account takeover, rather than just reporting them as separate, less severe issues. This is achieved through its sophisticated analysis of session management and stateful interactions, allowing it to understand how one vulnerability might enable another.
After you’ve fixed your SQL injection, you might find that Burp Scanner now reports an XSS vulnerability in the product description field.