Numerous options are available to configure the behavior of Burp Scanner during crawl-based scans. These can be configured on-the-fly when launching a scan, or can be maintained in Burp's configuration library.
Burp Suite's configuration library comes with a set of built-in configurations so you can quickly configure these options.
These settings control the behavior of the crawl logic to reflect the objectives of the crawl and the nature of the application.
The maximum link depth represents the maximum number of navigational transitions (clicking links and submitting forms) that the crawler will make from the start URL(s). Modern applications tend to build a mass of navigation into every response, in locations like menus and the page footer. For this reason, it is normally possible to reach the vast majority of an application's content and functionality within a small number of hops from the start URL. Fully covering multi-stage processes (like viewing an item, adding it to a shopping cart, and checking out) will require more hops.
Some applications contain extremely long navigational sequences that don't lead to interestingly different functionality. For example, a shopping application might have a huge number of product categories, sub-categories, and view filters. To a crawler, this can appear as a very deep nested tree of links, all returning different content. In this situation, there are clearly diminishing returns to crawling deeply into the navigational structure, so it is sensible to limit the maximum link depth to a small number, such as 8.
Real-world applications differ hugely in the way they organize content and navigation, the volatility of their responses, and the extent and complexity of application state. At one extreme, an application might employ a unique and stable URL for each distinct function, return deterministic content in each response, and contain no server-side state. At the other extreme, an application might employ ephemeral URLs that change each time a function is accessed, overloaded URLs that reach different functions through different navigational paths, volatile content that changes non-deterministically, and heavily stateful functions where user actions cause changes in the content and behavior that is subsequently observed.
Burp's crawler can handle both of these extremes. Where required, it can handle ephemeral and overloaded URLs, volatile content, and changes in application state. However, fully handling these cases imposes a material overhead in the quantity of work that is involved in the crawl. You can use the crawl strategy setting to tune the approach that is taken to specific applications. In practice, this setting represents a trade-off between the speed of the crawl and the completeness of coverage that is achieved. The default strategy represents a trade-off between speed and coverage that is appropriate for typical applications. You can select a strategy that is more optimized for speed, when crawling an application with more stable and unique URLs, and no stateful functionality. Or you can select a strategy that is more optimized for completeness, when crawling an application with more volatile or overloaded URLs, or more complex stateful functionality.
Note that Burp Scanner's "Fastest" crawl strategy differs from other available strategies in some important ways:
When this option is enabled, Burp Scanner skips the unauthenticated crawl phase if you have provided one or more application logins for it to use. It will use only your provided logins and will not attempt to self-register users or trigger login failures. This can help to reduce the overall crawl time.
If you don't provide any application logins, the crawler automatically reverts to performing an unauthenticated crawl instead.
Crawling modern applications is sometimes an open-ended exercise, due to the amount of stateful functionality, volatile content, and unbounded navigation. Burp's crawler uses various techniques to maximize discovery of unique content early in the crawl. The settings for crawl limits let you impose a limit on the extent of the crawl, as it reaches the point of diminishing returns. It is generally sensible to configure a limit to the extent of the crawl, based on your knowledge of the application being scanned.
You can choose to limit the crawl based on:
These settings control how the crawler will interact with any login functionality that is encountered during the crawl. You can configure whether the crawler should:
These settings are not compatible with recorded login sequences. When using recorded logins for a scan, these settings will be ignored.
The crawler uses the following checklist to identify login and registration forms on the target site:
type=password.
name attribute.
If all of these criteria are met, the crawler then distinguishes registration forms from login forms by applying the following rules in order. For example, if two forms have an equal number of password fields, it will then compare the number of text fields, and so on.
The registration form is whichever form has the most:
The crawler identifies login and registration forms based on the password field. However, it will only be able to enter a username or email address if the related fields:
type=email or type=text
name attribute
If either of these conditions is not met, the crawler will successfully identify the form but will be unable to enter the corresponding data correctly.
These settings control how Burp Scanner handles application errors (connection failures and transmission timeouts) that arise during the crawl phase of the scan.
You can configure the following options:
You can leave any setting blank to disable it.
These settings let you override settings defined in Project Options for the crawl task you are configuring.
You can override the following project options:
These settings let you customize some details of the crawl:
robots.txt file and extract links from it.
sitemap.xml file and extract links from it. You can configure the maximum number of items to extract.
/ \ ? = &. However, you can use this setting to control this manually if you prefer.
These settings let you control the behavior of Burp's browser:
Use Burp's browser for Crawl and Audit - This setting controls whether Burp Scanner uses Burp's browser to navigate the target site. We often refer to this as browser-powered scanning.
By default, Burp Scanner uses Burp's browser if your machine appears to meet the required spec, but you can force it to always use the browser if you want. We recommend a machine with at least 2 CPU cores and 8 GB RAM. Alternatively, you can choose to disable browser-powered scanning completely. In this case, Burp Scanner will use the legacy crawling engine.
Fetch required resources and data from out-of-scope hosts - This setting controls whether the crawler will issue requests to out-of-scope hosts where necessary. As websites often require the browser to load externally hosted subresources or fetch data from an API in order to function correctly, allowing these requests helps maximize the coverage of your scans. Note that out-of-scope requests made by the crawler will not be audited.
Read timeout for site resources - This setting determines how long Burp Scanner will wait in milliseconds when attempting to load subresources during the crawl.
Show the crawl in a headed browser - By default, Burp Scanner uses a headless browser for crawling. If you enable this setting, when the scan starts, a new browser window will open in which you can watch the crawler navigating around the target website in real time. This can be useful for troubleshooting.
When watching the crawl in a headed browser, you may see Burp Scanner open a multiple windows and stop using existing ones. This is expected behavior and is not indicative of any issues with the scan. Any redundant windows will automatically be closed after a certain period of time.