Audit items

  • Last updated: July 6, 2023

  • Read time: 3 Minutes

The Audit items tab in the task details window contains a list of items audited by Burp Scanner. It is populated as the audit runs, enabling you to monitor the progress of individual audit items. This enables you to diagnose problems with the audit, for example due to network errors or large numbers of insertion points. You can then change the scan configuration to optimize your audit.

You can view the following details about each item:

  • # - The item's index number.
  • Host - The destination host.
  • URL - The destination URL.
  • URL - The destination URL.
  • Passive phases, Active phases, JavaScript phases - The audit phase indicators.
  • Issues - The number of issues identified for the item. These are categorized by severity.
  • Requests - The number of requests made while auditing the item. This is not necessarily a linear function of the number of insertion points.
  • Errors - The number of network errors encountered.
  • Insertion points - The number of insertion points created for the item.
  • Start time, End time - The start and end time of the audit.
  • Comment - Any user-applied comment. Double-click this field to add a comment.

Right-click an item to perform various actions as part of your workflow:

  • Show details - View the base request and response in a new window, as well as the Inspector panel. You can also double-click an item to open this window.
  • Cancel - Stop auditing the item. There may be a short delay while any pending requests are completed.
  • Audit again - Duplicate the item and add it to the end of the list.
  • Add comment - Add a comment to the item. You can also double click the comment cell.
  • Highlight - Apply a highlight to the item. You can also use the drop-down menu in the index cell.
  • Send to ... - Send the item's base request to other Burp tools.

Audit phase indicators

Burp Scanner runs through the following phases when auditing content:

Passive phases

Burp Scanner has two passive phases:

  • Phase 1 - Identify passive issues.
  • Phase 2 - Consolidate issues that exist at different locations in the application. Burp then reports on the issues.

Active phases

Burp Scanner has five active phases:

  • Phase 1 - Test each insertion point for first-order vulnerabilities.
  • Phase 2 - Send data to each insertion point. The data is designed to detect stored input behaviors.
  • Phase 3 - Re-fetch application responses to detect stored input behaviors.
  • Phase 4 - Test the stored input paths for second-order vulnerabilities.
  • Phase 5 - Send a Collaborator payload to each insertion point. The payload is designed to detect blind stored XSS vulnerabilities.

JavaScript phases

Burp Scanner has three JavaScript phases:

  • Phase 1 - Analyze JavaScript to detect self-contained DOM-based issues.
  • Phase 2 - Analyze reflection of input into JavaScript code to detect reflected DOM-based issues.
  • Phase 3 - Analyze stored input in JavaScript code to detect stored DOM-based issues.

Related pages

Auditing - Gives detailed information on the auditing process, including the audit phases.

Was this article helpful?