login

Burp Suite, the leading toolkit for web application security testing

Target Site Map

The central site map aggregates all of the information that Burp has gathered about applications. You can filter and annotate this information to help manage it, and also use the site map to drive your testing workflow.

Target Information

The site map displays target information in tree and table form, and also lets you view full requests and responses for individual items where available.

The tree view contains a hierarchical representation of content, with URLs broken down into domains, directories, files, and parameterized requests. You can expand interesting branches to see further detail. If you select one or more parts of the tree, all the selected items and items in child branches are shown in the table view.

The table view shows key details about each item (URL, HTTP status code, page title, etc.). You can sort the table according to any column (click the column header to cycle through ascending sort, descending sort, and unsorted). If you select an item in the table, the request and response (where available) for that item are shown in the request/response pane. This contains an HTTP message editor for the request and response, providing detailed analysis of each message.

The site map aggregates all of the information that Burp has gathered about applications. This includes:

Items in the site map that have been requested are shown in black. Items that have not yet been requested are shown in gray. By default (with passive spidering enabled) when you begin browsing a typical application, a large amount of content will appear in gray before you even get as far as requesting it, because Burp has discovered links to it in the content that you have requested. You can remove uninteresting content (for example, on other domains that are linked to from your target application), by setting an appropriate target scope and using the site map display filter.

Display Filter

The site map has a display filter that can be used to hide some of its content from view, to make it easier to analyze and work on the content you are interested in.

The filter bar above the site map describes the current display filter. Clicking the filter bar opens the filter options for editing. The filter can be configured based on the following attributes:

The content displayed within the site map is effectively a view into an underlying database, and the display filter controls what is included in that view. If you set a filter to hide some items, these are not deleted, only hidden, and will reappear if you unset the relevant filter. This means you can use the filter to help you systematically examine a complex site map to understand where different kinds of interesting content reside.

Annotations

In the table view, you can annotate items by adding comments and highlights. This can be useful to describe the purpose of different URLs, and to flag up interesting items for further investigation.

You can add highlights in two ways:

You can add comments in two ways:

When you have annotated interesting requests, you can use column sorting and the display filter to quickly find these items later.

Testing Workflow

As well as displaying all of the information gathered about your target, the site map enables you to control and initiate specific attacks against the target, using the context menus that appear everywhere. The exact options that are available depend on the location where the context menu was invoked, and the type of item(s) selected. The complete list of context menu actions is as follows:

User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Wednesday, June 11, 2014

v1.6.01

This release contains various enhancements to existing functionality, including improvements to the Spider's link-discovery engine, which now achieves a WIVET score of 50%. There is more work to do in this area, and improved crawling of JavaScript-driven navigation is in the pipeline.

Various bugs have also been fixed.

See all release notes ›

Copyright © 2014 PortSwigger Ltd. All rights reserved.