Skip to main content

burp

Burp Suite Professional is an industry-leading web application vulnerability scanner by PortSwigger, integrated into Canva workflows for automated headless scanning. It uses Burp's built-in REST API to perform crawl-and-audit scans, identifying vulnerabilities such as SQL injection, XSS, SSRF, and other OWASP Top 10 issues without manual interaction.

Ideal Use Cases & Fit

burp is ideal for thorough web application security assessments in scenarios such as:

  • Deep vulnerability scanning of web applications with active crawling and auditing
  • Complementing OWASP ZAP with a second scanning engine for broader coverage and reduced false negatives
  • Authenticated scanning of web applications using session cookies or bearer tokens passed via custom headers

This tool excels at active vulnerability detection on complex web applications. It scans one target at a time sequentially and requires a valid Burp Suite Professional license key provided by the user. Targets must be specified with the exact hostname — Burp scopes scans strictly to the provided domain and will not follow redirects to different hostnames.

Value in Workflows

Integrating burp into security workflows provides access to one of the most respected commercial vulnerability scanners available. Its crawl-and-audit engine is known for thorough coverage of application attack surfaces, including modern JavaScript-heavy applications. By producing structured JSONL output compatible with downstream analysis and reporting nodes, it fits naturally into multi-stage security workflows. Pairing burp with other tools like nuclei or zap enables multi-engine scanning strategies that minimize missed vulnerabilities.

Input Data

The tool expects a required input file containing newline-separated target URLs. Each URL represents a web application to scan. Targets without a URL scheme are automatically prefixed with https://.

Example:

https://www.example.com
https://staging.example.com
http://internal-app.local:8080

License Key and Activation

burp requires a valid Burp Suite Professional license key to operate. The key is provided as a parameter on every run.

When running burp for the first time with only a license key, the tool performs an online activation against PortSwigger's servers. PortSwigger monitors activations and warns:

"License activations are monitored. If you perform too many activations, further activations for this license may be prevented."

To avoid burning activations on every run, burp outputs an activation token (a key-value pair) after the first successful scan. You should save this token and provide it on all subsequent runs using the --activation-token-key and --activation-token-value parameters.

How to obtain the activation token

Option A — From the first scan output (no local Burp install needed):

  1. Run your first scan providing only --license-key
  2. The scan output (JSONL) will include a metadata entry with activation_token_key and activation_token_value
  3. Save both values and pass them on all future runs

Option B — From an existing local Burp Suite Pro installation:

Your activation token is stored in ~/.java/.userPrefs/burp/prefs.xml. This file is large (~1.6MB) because it contains Burp's full configuration, but you only need one entry from it. Run this command to extract it:

grep '<entry' ~/.java/.userPrefs/burp/prefs.xml \
  | grep -v 'eulapro\|caCert\|license1\|deviceId\|installationId\|extensions\.\|suite\.'

This filters out the ~200 configuration entries and returns a single line — your activation token. The key attribute is your activation-token-key and the value attribute is your activation-token-value.

Startup behavior

  • With activation token: Burp starts in approximately 12 seconds with no internet required for activation. No activation is consumed.
  • Without activation token: Burp performs online activation (requires outbound HTTPS to portswigger.net), which takes up to 60 seconds. One activation is consumed per run.

Configuration

Scan Parameters:

  • scan-type: Controls the type of scan. crawl-and-audit (default) performs a full crawl followed by active vulnerability checks. crawl-only performs discovery without active testing. audit-only runs active checks without crawling, useful when the application surface is already known.

Timeouts:

  • scan-timeout: Maximum seconds allowed per individual target scan (default: 7200, which is 2 hours). Targets exceeding this limit are marked as timed out with partial results preserved. The tool also detects stalled scans — if no progress is made for 30 seconds during crawling or 120 seconds during auditing, the target is skipped automatically.

Authentication:

  • header: Custom HTTP headers to include in all scan requests, useful for authenticated scanning. Accepts the format Name: Value and can be specified multiple times. For example, pass Cookie: session=abc123 or Authorization: Bearer token to scan behind authentication. Updated: 2026-04-08