login

Burp Suite, the leading toolkit for web application security testing

Content Discovery

This function can be used to discover content and functionality which is not linked from visible content that you can browse to or spider.

To access this function, select an HTTP request anywhere within Burp, or any part of the Target site map, and choose "Discover content" within "Engagement tools" in the context menu.

Burp uses various techniques to discover content, including name guessing, web spidering, and extrapolation from naming conventions observed in use within the application. Discovered content is displayed within a special site map that is specific to the discovery session, and can also optionally be added to the main suite site map.

Control

This tab shows you the current status of the discovery session.

The toggle button indicates whether the session is running, and lets you pause and restart the session.

The following information is displayed about the progress of the discovery session:

The individual discovery tasks that are queued are shown in a table. The discovery engine works recursively, and when a new directory or file is discovered, further tasks are derived from this, depending on the configuration. For example, when a new directory is discovered, Burp might add tasks to look for sub-directories and files within that directory; or, when a new file is discovered, Burp might add a task to check for the same base filename with different file extensions. Newly added tasks are prioritized according to their likelihood of quickly discovering new content.

Target

These options let you define the start directory for the content discovery session, and whether files or directories should be targeted. The following options are available:

Filenames

These options let you configure the sources that Burp should use for generating filenames to test. The following options are available

File Extensions

These settings control how the discovery session adds file extensions to file stems that are being tested. The file stems themselves are derived according to the filenames options. When each file stem is tested, Burp check for various different extensions, according to these settings. The following options are available:

Discovery Engine

These settings control the engine used for making HTTP requests when discovering content, and interaction with the suite site map. The following options are available:

Site Map

The discovery session employs its own site map, showing all of the content which has been discovered within the defined scope. If you have configured Burp to do so, newly discovered items will also be added to Burp's main site map.

User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Tuesday, August 19, 2014

1.6.05

This release fixes a UI bug affecting a small number of users who are running Burp on Java 1.6.

See all release notes ›

Copyright © 2014 PortSwigger Ltd. All rights reserved.