Ensure Burp and OWASP BWA VM is running while Burp is configured in the Firefox browser used to view the OWASP BWA applications.

From the OWASP BWA landing page, click the link to the OWASP Mutillidae II application:

1. From the Target | Site map tab, right-click the mutillidae folder and select Passively scan this branch. The passive scanner will hunt for vulnerabilities, which will appear in the Issues window:

2. From the Target | Site map tab, right-click the mutillidae folder and select Actively scan this branch:

3. Upon initiating the active scanner, a pop-up dialog box appears prompting for removal of duplicate items, items without parameters, items with media response, or items of certain file types. This pop-up is the Active scanning wizard. For this recipe, use the default settings and click Next:

4. Verify all paths shown are desired for scanning. Any undesired file types or paths can be removed with the Remove button. Once complete, click OK:

You may be prompted regarding the out-of-scope items. If so, click Yes to include those items. Scanner will begin.

5. Check the status of scanner by looking at the Scanner queue tab:

6. As scanner finds issues, they are displayed on the Target tab, in the Issues panel. This panel is only available in the Professional edition since it complements the scanner's functionality: