Listen to this Post

Introduction:
Burp Suite Professional’s integrated web crawler and vulnerability scanner automate the discovery of hidden endpoints and security flaws in modern web applications. By combining intelligent crawling with active audit checks, penetration testers can efficiently map attack surfaces and detect SQLi, XSS, and misconfigurations without manual intervention.
Learning Objectives:
- Configure and customize Burp Suite’s web crawler to discover application endpoints, including JavaScript-rendered paths and API routes.
- Execute automated vulnerability audits using both default and advanced scan profiles to identify OWASP Top 10 risks.
- Integrate crawling and scanning workflows into CI/CD pipelines and headless environments using Burp’s REST API and command-line tools.
You Should Know:
- Setting Up Burp Suite Crawler with Default Configuration
The Burp crawler (spider) automatically traverses a web application by following links, forms, and JavaScript-generated requests. Start by launching Burp Suite Professional and configuring your target.
Step‑by‑step guide:
1. Install Burp Suite (Linux/Windows):
- Linux (Debian/Ubuntu):
sudo apt update && sudo apt install default-jre -y wget https://portswigger.net/burp/releases/download?product=pro&version=2024.9.1&type=Jar -O burpsuite_pro.jar java -jar burpsuite_pro.jar
- Windows: Download the Windows installer from Portswigger and run it.
- Open Burp → Target tab → right-click a host in the site map → select Spider this host.
- Choose Use default configuration → click Next → review scope (default includes the selected host) → click OK.
- Monitor progress under Target → Site map (crawled endpoints appear in real time).
- Stop the crawler via Scanner → Tasks → right-click task → Cancel.
What this does: The default crawler respects robots.txt, avoids out-of-scope domains, and honours session handling rules. Use it for quick discovery of public endpoints.
2. Customizing the Crawler for Deep Application Mapping
Default settings may miss AJAX calls, form submissions, or parameter‑driven navigation. Customization ensures thorough coverage, especially for single‑page applications (SPAs).
Step‑by‑step guide:
- Go to Project options → Spider → Advanced.
2. Crawler settings:
- Increase Maximum link depth (e.g., 6) to explore nested directories.
- Enable Process forms to submit dummy values automatically.
- Set Number of threads to 10 for faster crawling (beware of rate limiting).
3. Request handling:
- Add custom headers (e.g.,
Authorization: Bearer <token>) under Spider → Advanced → Custom request headers. - Define Login credentials (Form‑based or NTLM) so the crawler can access authenticated areas.
- To target API endpoints specifically, add an In‑scope URL prefix like `https://target.com/api/` under Target → Scope → Add URL.
- Start the custom crawl via Spider this host → choose Use advanced configuration.
Example: For a React app with /graphql, force the crawler to include POST requests by enabling Spider → Advanced → Submit forms/requests → Include POST.
3. Vulnerability Scanning (Audit) with Default Configuration
Burp’s active scanner sends specially crafted payloads to detected endpoints to identify SQL injection, cross‑site scripting (XSS), path traversal, and more.
Step‑by‑step guide:
- In Target → Site map, select a host or specific folders.
2. Right‑click → Do an active scan.
- Choose Use default configuration → Next → confirm scope → OK.
- Scan progress appears in Scanner → Dashboard and Scanner → Issue activity.
- Review findings – each issue includes a description, severity, and proof of concept (e.g., reflected payload).
Linux/Windows commands to verify an XSS finding manually:
Using curl on Linux to test a vulnerable parameter curl "https://target.com/search?q=<script>alert(1)</script>" Windows (PowerShell) Invoke-WebRequest -Uri "https://target.com/search?q=<script>alert(1)</script>"
What this does: The default audit checks about 80% of common vulnerabilities with a balanced speed/accuracy trade‑off. Suitable for initial assessments.
- Defining Advanced Audit Options for API and Cloud Security
Fine‑tuned audit configurations reduce false positives and target specific weaknesses like GraphQL introspection, JWT misconfigurations, or cloud storage exposure.
Step‑by‑step guide:
1. Create a custom audit configuration:
- Go to Scanner → Scan configurations → New → Audit (Active).
- Under Issue definitions, disable checks that generate noise (e.g., “External service interaction” if not relevant).
- Enable Insertion point types: for APIs, focus on JSON parameters and URL query strings.
- Payload sets: Add custom payloads for JWT secret brute‑forcing or cloud metadata endpoint injection:
</li> </ol> - 169.254.169.254/latest/meta-data/ - {"username": {"$ne": null}}3. Scan speed: Adjust Requirement to Thorough (increases payloads, longer runtime) or Fast for quick regression tests.
4. Cloud hardening check: Manually test for misconfigured S3 buckets using a Burp extension like “AWS Extender” – or use this command:Linux: Check for open S3 bucket aws s3 ls s3://target-bucket-name --no-sign-request
5. Apply the advanced config by selecting Use custom configuration when launching an active scan.
Mitigation: For APIs, enforce strict schema validation, rate limiting, and always disable GraphQL introspection in production.
- Crawling & Scanning Together in a Single Task
Burp allows you to combine crawling and auditing in one continuous workflow, ideal for CI/CD integration or bug bounty automation.
Step‑by‑step guide:
1. Navigate to Scanner → Create new scan.
2. Select Crawl and audit.
- Under Crawl configuration, choose a custom or default spider config.
- Under Audit configuration, pick the issue checks required.
- Set Scope – include/exclude URLs based on regex (e.g., exclude
/logout,/admin/static/). - Enable Schedule for nightly scans or CI integration via Burp’s REST API (example below).
7. Click OK to start the combined task.
Using Burp Suite headlessly for automation (Linux):
Start Burp in headless mode with a project file and trigger a scan via REST API java -jar burpsuite_pro.jar --headless --project-file=target.burp --config-file=scan_options.json Trigger scan via curl curl -X POST "http://localhost:8080/burp/v0.1/scan" -H "Content-Type: application/json" -d '{"url":"https://target.com","type":"crawl_and_audit"}'Windows (PowerShell) alternative:
Invoke-WebRequest -Uri "http://localhost:8080/burp/v0.1/scan" -Method POST -Body '{"url":"https://target.com","type":"crawl_and_audit"}' -ContentType "application/json"This approach enables integration with Jenkins, GitLab CI, or automated bug bounty pipelines.
6. Managing Scan Tasks: Deleting, Pausing, and Reporting
Effective task management prevents resource exhaustion and organizes findings for remediation.
Step‑by‑step guide:
- Pause/resume: In Scanner → Tasks, right‑click an active task → Pause (e.g., to reduce load during business hours).
- Delete a scan task: Right‑click → Delete. This removes the scan but retains already discovered issues in the site map.
- Export report: Select the host in Target → Site map → right‑click → Report selected issues. Choose format (HTML, XML, or JUnit for CI).
– Command line example for automation (Linux):
curl -X GET "http://localhost:8080/burp/v0.1/report?taskId=123" -o report.html
4. Customise report: Include evidence (request/response pairs), remediation advice, and severity filtering.
Pro tip: Use Burp’s Bambdas to create fine‑grained report filters – e.g., exclude informational issues automatically.
- Linux/Windows Commands for Vulnerability Exploitation & Mitigation (Supplementary)
Understanding how attackers exploit findings helps strengthen defences. Below are commands to test or mitigate common audit results.
Testing found SQL injection (Error‑based):
Linux (curl) curl "https://target.com/product?id=1' AND 1=1-- -" Windows (PowerShell) Invoke-WebRequest -Uri "https://target.com/product?id=1' AND 1=1-- -"
Mitigation: Use parameterised queries (example for Linux dev environment):
Python with SQLAlchemy from sqlalchemy import text result = connection.execute(text("SELECT FROM products WHERE id = :id"), {"id": user_input})Testing Path Traversal on a file download endpoint:
curl "https://target.com/download?file=../../../../etc/passwd"
Mitigation (Apache .htaccess):
RewriteCond %{QUERY_STRING} (../|..\) [bash] RewriteRule . - [bash]Testing for Server‑Side Request Forgery (SSRF) to cloud metadata:
curl "https://target.com/fetch?url=http://169.254.169.254/latest/meta-data/"
Cloud hardening (AWS): Block metadata access by adding a deny rule in the instance role policy or restrict IMDSv2 to require token.
These commands and hardening steps directly map to issues Burp’s scanner may report, giving both offensive and defensive value.
What Undercode Say:
- Automated discovery is essential but not sufficient – Burp’s crawler often misses business logic flaws. Always supplement with manual testing and custom scripts.
- Integration with CI/CD requires careful scope definition – Scanning staging environments is safe; scanning production demands rate limiting and authorisation to avoid availability impact.
- API security auditing is a strength – Burp’s advanced insertion point detection for JSON and GraphQL yields fewer false negatives than many dedicated API scanners.
- Headless automation unlocks enterprise‑scale pentesting – The REST API allows embedding Burp into DevSecOps pipelines with minimal overhead.
- False positives still plague active scanners – Always validate high/critical findings using manual payloads (e.g., `curl` commands above) before reporting.
Prediction:
By 2028, AI‑driven web scanners like Burp Suite’s upcoming “Deep‑Learning Crawler” will automatically reverse‑engineer JavaScript frameworks and GraphQL schemas, reducing manual mapping time by 90%. However, adversarial AI will simultaneously generate anti‑crawler traps (honeypot tokens, dynamic DOM mutations) that force pentesters back to hybrid automation‑manual workflows. Organisations that invest in pipeline‑based scanning (triggered per commit) will outpace those running weekly point‑in‑time scans, as speed of detection becomes the primary differentiator in cloud‑native incident response.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Burp Suite – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeTesting & Stay Tuned:
- Crawling & Scanning Together in a Single Task


