If you do not set a scope when spidering, it will crawl things outside of your intended target. Next, I go to the Target > Scope tab to set my scope. First, I turn FoxyProxy on in my browser, and make sure that the settings in the Proxy > Options tab match my FoxyProxy options. In this example, I’ll be using XSS Game first. We covered scope in the last blog post, but it’s a way of limiting what websites are shown to you within Burp, and what websites are used by other tools (which sites do you want to be sending requests to?) Configuring Scope Make sure you set your scope before you run the Spider tool! The Spider tool does all of that for you by recursively finding and requesting all links on a given website. Doing that by browsing through the website is time-consuming, especially if you have a very complex website. Why is this useful? Having a complete site map helps you understand the layout of a website and makes you aware of all the different areas where vulnerabilities might exist (for example, seeing the gear icon on a page means that data can be / has been submitted). If you worked through the last post and its examples, then you have already (passively) used the Spider tool. In other words, it programmatically crawls a website(s) for all links and adds them to the Site Map view in the Target tab. Burp’s website states:īurp’s cutting-edge web application crawler accurately maps content and functionality, automatically handling sessions, state changes, volatile content, and application logins.
Spiderįirst up is the Spider tool, which is a web crawler. If you don’t have Burp Suite set up yet, check out this blog post first.
Since everything is more fun with examples, I’ll be using practice hacking sites to demo some of these features. This blog post will cover the Spider, Intruder and Repeater tools, which start to show the usefulness and power of Burp Suite. In my last post I covered setup for Burp Suite, as well as the Proxy and Target tabs.
0 kommentar(er)
