Scanning specific HTTP messages

Scanning specific HTTP messages makes it easy to run focused scans on a particular set of requests or responses.

You can scan HTTP messages from most places that display HTTP traffic in Burp Suite. In tools that display lists of HTTP requests (such as the Site map and HTTP history tabs) you can select multiple entries to scan.

To scan the selected HTTP messages, right-click and select one of the scan options from the context menu. There are three options available:

• Scan. This menu item has two options:

  • Open scan launcher. This opens a scan launcher window from where you can configure the scan.
  • Add to task. This enables you to add a scan of the message to a pre-existing task.

• Do passive scan. Burp Scanner analyzes the contents of the base request and response, rather than sending its own requests.

• Do active scan. Burp Scanner sends its own requests to the target to probe for vulnerabilities.

Configuring an audit of specific HTTP messages

To configure an audit of specific HTTP messages:

1. Right-click the messages required and select Scan.

2. From the Scan type tab of the scan launcher, select Audit selected items.

3. Select the task that you want the audit to run under:

   • To add the audit to an existing task, select Add to task and select the required task from the list.
   • To have the audit run under its own task, select Create new task.

4. Optionally, select Consolidate items to remove unnecessary messages from the audit. You can consolidate items using the following criteria:

   • Duplicates (messages that have the same URLs and parameters).
   • Out-of-scope messages based on the current suite scope.
   • Messages with no parameters.
   • Messages with a specified file extension.

5. Optionally, specify details for the remaining launcher tabs:

   • Scan configuration. For more information, see Configuring scans.
   • Resource pool. For more information, see Managing resource pools for scans.

6. Click Scan to start the audit.