From aldeid
Jump to navigation Jump to search

Burp Spider


Burp Spider is a feature to map Web applications. This tool builds a tree by following the links in a page source.

From the subtab "site map" of "target", select "spider this host" from the context menu (right click on an item):

"Control" Tab

This tab lets you control the "spider".

  • spider running: This checkbox allows to start or stop the "spider". Statistics show the progress of the work in progress.
  • spider scope: this option allows you to define the scope of the "spider".

"Options" Tab

The options are:


  • check robots.txt : include a robots.txt file to explore the links it contains.
  • use cookies : use cookies collected in each query
  • detect custom "not found" responses : allows the recognition of custom 404 pages.
  • ignore links to non-text content : increases the speed of the "spider" by analyzing MIME types based on tags (for example <img>).
  • request the root of all directories : request all elements of the "scope" recursively.
  • make a non-parameterised request to each dynamic page : test the behavior of dynamic pages settings by sending no parameters.
  • maximum link depth : sets the search depth (the number of "jumps" followed by links).

monitor burp proxy traffic

  • passively spider as you browseactivates "spidering" quietly (during navigation).
  • update spider cookies from proxy requests : automatically updates the cookie requests (client).
  • update spider cookies from proxy responses : automatically updates the cookie response (server).
  • link depth to associate with proxy requests : defines the level of depth to "spider" (number of links to follow).


  • individuate forms : allows the identification of duplicate forms based on their properties (method, action, name, etc.)
  • Options:
    • don't submit forms : do not submit forms.
    • prompt for guidance : with each form, the tool will ask whether the form should be submitted or not.
    • automatically submit using the following rules to assign parameter values : automatic submission of forms with default values ​​in the table (changeable values​​).
  • set unmatched fields to : can set the unmatched form elements with an email address (for example)
  • iterate all values of submit fields : function used when a form contains multiple submit buttons. Tells the "spider" How many buttons should be tested.

application login

Tells the "spider" how to behave facing a form of authentication:

  • don't submit login forms : do not sumbit a form
  • prompt for guidance : how to behave for each form encountered
  • handle as ordinary forms : using rules specified above (see "forms")
  • automatically submit these credentials : automatic submission of forms with the username / password provided

spider engine

  • thread count : defines the number of threads (number of techniques performed in parallel)
  • retries on network failure : number of of tests in case of failure to obtain an item
  • pause before retry (millis) : time (in milliseconds) between two tests

request headers

This section allows you to change the headers of requests to be sent to the target server.

Results of the "spider"

All results are sent to the Target tab > Site map