**Note: The content in this article is only for educational purposes and understanding of cybersecurity concepts. It should enable people and organizations to have a better grip on threats and know how to protect themselves against them. Please use this information responsibly.**
BurpSuite Professional, the most widely used pen testing toolkit, offers a comprehensive dashboard that serves as a central hub for monitoring and controlling all automated tasks in your project. This article focuses on the key features of this dashboard.
Burp Scanner
New Scan: Allows you to perform scans on web applications. It gives you two options: Crawl and Audit.
Crawling
The initial stage of a scan is typically the crawl phase. In this phase, Burp Scanner explores the application, tracing links, filling out forms, and logging in as needed to explore the application’s content and navigation routes.
Although this procedure might appear straightforward at first, the architecture of contemporary web applications necessitates that the crawler manages issues such as fluctuation of content, session management methods, alterations in application status, and sturdy login procedures to construct a precise representation of the application.
Scanning Configuration
Scanning configuration can be defined as the intensity of scan the user wants for any application. The configuration gives you four options -:
- Lightweight: In this scan, speed is the priority so the scan will be completed in 15 minutes and gives you an overview of the security of a website.
- Fast: This scan is one step ahead of lightweight and has more thorough coverage.
- Balanced: While other scans are focusing more on speed the balanced scan brings balance between coverage and speed and gives result in few hours.
- Deep: Deep scan focuses on higher coverage and the output depends on the size of the website.
Application Login
During the crawl of a target application, Burp Scanner aims to explore as much of the application’s attack surface as possible. Authenticated scanning allows Burp to access privileged content that requires login credentials, such as user dashboards and admin panels. There are two ways to authenticate with target applications:
Login Credentials: These are straightforward username and password pairs. They work for sites with a simple single-step login mechanism.
Recorded Login Sequences: Users define these sequences of instructions. They are useful for sites with complex login mechanisms, such as Single Sign-On (SSO).
Remember that you can only use one authentication method per scan. If you provide both login credentials and a recorded login sequence, Burp Scanner will ignore the login credentials.
Resource Pool
Resource Pool option allows us to share resources among multiple tasks. There is a default pool. If we do not assign any default pool, then the burp scanner uses the default pool.
Certainly, to create a new resource pool in the scan launcher, follow these steps:
- Click on “Create new resource pool.”
- Provide a name for the pool.
- Configure the pool’s throttling settings.
After filling all the necessary details, we can start the scanning and we’ll get the results whose progress can be seen in the dashboard.
