Home > BurpSuite > How to Scan Websites Using BurpSuite

Web Application Scanning Using Burp Suite

Purpose

This Knowledge Base (KB) article explains how to configure and run a Burp Suite web application scan, including crawling behavior, authentication, auditing configuration, API crawling, JavaScript analysis, resource pools, and auto-throttling.

Scope

This procedure applies to all authorized web application vulnerability assessments using Burp Suite.

Burp Suite Scanning Steps

1. Create a New Scan
   1. Open Burp Suite.
   2. Navigate to the Dashboard and click New Scan.
   3. Select one of the following modes:
      • Crawl and Audit
      • Crawl Only
      • API Scan Only
2. Configure Scan Details
   1. Enter target URLs.
   2. Select protocols (HTTP/HTTPS).
   3. Define scan scope to restrict testing to approved systems.
3. Select Scan Configuration Profile
   • Lightweight
   • Fast
   • Balanced
   • Deep
   • Custom
4. Configure Crawling
   1. Crawling Behaviour
      • Fastest
      • Faster
      • Normal
      • More Complete
      • Most Complete
   2. Crawl Limits
      • Max duration (e.g., 150 minutes)
      • Max locations (e.g., 1500)
      • No fixed request limit (optional)
   3. Login Behaviour
      • Configure authenticated scanning.
      • Define login verification conditions.
      • Enable logout detection.
   4. API Crawling
      • REST
      • SOAP
      • GraphQL
   5. Browser Behaviour
      • User-agent configuration
      • Dynamic rendering
      • JS execution control
   6. Discovery Logic
      • Hidden link discovery
      • Form submissions
      • Sitemap fetching
5. Audit Configuration
   1. Audit Behaviour
      • Audit Speed (Fast / Normal)
      • Audit Accuracy (Normal / Thorough)
      • Maintain sessions
      • Follow redirects
      • Run crawl and audit in parallel
      • Set max scan time
      • Issue noise reduction
      • Network timeout configuration
   2. Scan Checks
      • SQL Injection
      • OS Command Injection
      • XSS
      • Path Traversal
      • LDAP Injection
      • Code Injection
      • SSTI and others
   3. JavaScript Analysis
      • Dynamic DOM analysis
      • Static JS analysis
      • Fetch missing/out-of-scope JS (optional)
      • 30s analysis timeout each
   4. Insertion Points Strategy
      • URL parameters
      • Body parameters
      • Cookies
      • Headers
      • Path components
      • Nested insertion points
      • Limit max insertion points
6. Application Login Configuration
   1. Use credentials or recorded login sequences.
   2. Support adding, editing, and deleting entries.
   3. Import/export login sequences using the library.
7. Resource Pool & Auto-Throttling Configuration
   1. Resource Pool Settings
      • Maximum concurrent requests
      • Request delays
      • Execution concurrency
   2. Auto-Throttling Behaviour
      • Automatic slowdown on server latency increase
      • Adaptive concurrency reduction
      • Automatic backoff on repeated errors
      • Dynamic request pacing
      • Recommended settings:
        • Enable auto-throttle: YES
        • Minimum delay: 100–500 ms
        • Max concurrent requests: 1–2
        • Enable auto backoff: YES
8. Start the Scan
   1. Click Scan to begin.
   2. Monitor progress from the Dashboard.
   3. Review discovered issues in Issue Activity.
9. Review and Export Results
   1. Open the scan report.
   2. Filter vulnerabilities by severity:
      • Critical
      • High
      • Medium
      • Low
   3. Export results as HTML or XML.

Summary

This KB provides a complete walkthrough of how to scan web applications using Burp Suite.