Comparing site maps

You can use this function to compare two site maps and highlight differences. This feature can be used in various ways to help find different types of access control vulnerabilities, and identify which areas of a large application warrant close manual inspection. Some typical use-cases for this functionality are as follows:

You can access the "Compare site maps" feature using the context menu on the main site map. This opens a wizard that lets you configure the sources of the site maps you want to compare, how requests should be matched between the site maps, and how the response comparison should be done. Burp then carries out the comparison and displays the results for you to review.

Site map sources

To perform a site map comparison, you need to select the sources of the site maps you want to compare. The following options are available:

You can choose to include all of the site map's contents, or you can restrict only to selected or in-scope items.

If you are re-requesting a site map in a different session context, the following points should be noted:

Request matching

To perform the comparison, Burp works through each request in the first site map, and matches this with a request in the second site map, and vice versa. You can configure the details of how the request matching is done, to tailor this to features of the target application.

You can select which of the following items are used for matching requests:

The default options will work well in most situations, and will match requests based on URL file path, HTTP method and the names of parameters in the query string and message body.

Response comparison

The responses to matched requests are compared to identify any differences. You can configure the details of how the response comparison is done, to tailor this to features of the target application.

The following options are available:

The default options will work in most situations. These options ignore various common HTTP headers and form fields that have ephemeral values, and also ignore whitespace-only variations in responses. The default options are designed to reduce the noise generated by inconsequential variations in responses, allowing you to focus attention on differences that are more likely to matter.

Comparison results

The comparison results show both site maps together, with relevant differences highlighted in the tree and table views. Items that have been added, deleted or modified between the two maps are colorized accordingly. The table view also contains a "Diff count" column, which represents the minimum number of text edits required to "convert" the response in Map 1 to the matched response in Map 2.

When you select an item in the tree or table of one of the maps, the selection in the other map is automatically updated to show the same branches of the tree, or select the same item in the table. You can change this behavior by unchecking the "Sync selection" option.

The full requests and responses for the selected items are shown in the request/response viewers, and relevant differences are highlighted within the responses.

There is a single display filter that applies to both maps, which by default shows all items.

Interpreting the results of a site map comparison requires human intelligence, and an understanding of the meaning and context of specific application functions. For example:

All of these scenarios may coexist in the same application, making the task of identifying actual access control problems more challenging. The only way to do this is through a manual review of the comparison results. Burp gives you several ways of making this process easier:

The challenges involved in evaluating access controls are the reason why fully automated tools are so ineffective at identifying access control vulnerabilities. In practice, tools that aim to do so generate mostly noise and are highly prone to false positives and negatives. In contrast, Burp does not relieve you of the task of closely examining the application's functionality, and evaluating whether access controls are being properly applied in each case. What the site map comparison feature does is to automate as much of the process as possible, giving you all the information you need in a clear form, and letting you apply your knowledge of the application's functionality to identify any actual vulnerabilities.