Author: Jeremy DruinTwitter: @webpwnizedDescription: Using Burp Suite Spider, we find the target site and set it as the 'scope' in Burp Suite. Best rar file opener for windows 10. OWASP ZAP is a free and open-source project actively maintained by volunteers while Burp Suite is a commercial Product maintained and sold by PortSwigger, They have been selected almost on every top 10 tools of the year, and in this post, I will compare version 2020.x of burp suite which saw the first release on January 2020. Burp Spider In-Depth Posted on June 19, 2017 May 22, 2018 by Admin@itgoodtoknow Using Burp Suite efficiently means understanding your tools and capabilities, but it also means having a full scope of the web application you’re about to start testing.
Burpsuite has got its own spider called the burpspider. The burp spider is a program which crawls into all the pages of a target specified in the scope. Before starting the burp spider, burpsuite has to to be configured to intercept the HTTP traffic.
Using Burp Suite efficiently means understanding your tools and capabilities, but it also means having a full scope of the web application you’re about to start testing. Let’s say your friend asks you for help changing their bike’s handlebars. You’d have to use a wrench to unscrew the old handlebars, replace them with new ones, and screw the new ones in. You could be a master at screwing bolts in and you could have a PhD in wrenches, but if you’ve never seen a bicycle in your life, and you don’t know where the handlebars are, you won’t be much help to your friend. The idea is the same (albeit a little less silly) with penetration testing.
You’ll want to look at your web application the same way the guys in Ocean’s Eleven look at a casino. If you’ve never seen an Ocean’s movie, it’s about a rag-tag group of thieves who go around robbing high-profile locations. It’s all very elaborate and entertaining, but there are a couple of similarities. Before doing anything, the gang gets blueprints of the building they want to break into. Sometimes they build life-size replicas of the vaults they want to crack. They gather as much information about their target as they can before making a decision.
This is what you should do as well. When tasked with penetrating a website, check everything. Find places where a user can enter input, like text boxes or buttons. Look for any links that may lead to other websites. Check for files and forms. Get a feel for how the components of the web application interact with other web applications as well as each other.
If this seems long and tedious, that’s because it is. Nobody has the time or the patience to click and prod every nook and cranny, which is why Burp has a built-in function for it. It’s called Burp Spider and its job is to make yours a whole lot easier. It crawls your site and tells you of all of the different elements that it has to offer. Finding and identifying vulnerabilities is up to you, but the program really does take some weight off your shoulders. Fair warning, however, the spider can miss things, which is why you should always double check what it gives you to make sure you have everything you need.
Using Burp Spider is easy, first, open up Burp and go to the desired URL. Go to the ‘Target’ tab and the ‘Site map’ subtab. Right-click the URL and select “Add to Scope”.
Burp Suite Spider Community
This tells Burp what exactly it should be working with. Anything within the “scope” is data that can be scanned and penetrated, anything outside is fluff. This way you can have lots of tabs open and only crawl what you need to crawl. The next step is to right-click that same URL and select “Spider this Branch”. More files should show up on the right-hand side.
Burp Suite Spider Download
And that’s it. You are now free to analyse the files Burp gives you and begin to manipulate them. I’ll soon be making more posts about the other functionalities Burp has that will help you become a better white-hat hacker.