The Target tool gives you an overview of your target application's content and functionality, and lets you drive key parts of your testing workflow. The key steps that are typically involved in using the Target tab are described below.
First, map the target application manually. To do this, carry out the following steps:
This manual mapping process will populate the Target site map with all of the content requested via the Proxy, and also (via live passive crawling) any further content that can be inferred from application responses (via links, forms, etc.). This manual mapping process will build up a fairly complete record in the site map of all the visible application content, and also fully familiarize you with the application.
Note: For some use cases, Burp's automated crawler is superior to manual application mapping, because it captures the navigational paths through the application in a way that lets Burp Scanner automatically maintain session when auditing the application. Manual mapping, on the other hand, allows a human user to guide the process, avoiding potentially dangerous functionality, and verifying that navigational actions have the expected results. The choice of manual versus automated mapping very much depends on the nature of the application and your intended use of the results.
When the initial application mapping is completed, this is a good time to define your Target scope, by selecting branches within the site map and using the "Add to scope" / "Remove from scope" commands on the context menu. You can then configure suitable display filters on the site map and Proxy history, to hide from view items that you are not currently interested in.
Review the site map for any items in your target that have been detected via live passive crawling but have not yet been requested. These items are shown in gray in the site map. You can also quickly locate unrequested items by selecting the whole application in the tree view, and sorting the table view on the "Time requested" column (by clicking the column header) - unrequested items will then be grouped together. You should manually review these items (for example, by copying each URL into your browser) to confirm whether they contain any further interesting content.
Having mapped all of the application's visible content (i.e. that which can be observed by browsing the application and following all links), you can optionally carry out some automated actions to identify further "hidden" content that is not linked from visible content:
When you are satisfied that you have mapped all of the application's content and functionality, you should review the contents of the site map (together with the Proxy history) to understand the attack surface that the application exposes. You can use the following site map features to support this task:
Having fully mapped the application and assessed its attack surface, you can drive your detailed vulnerability testing workflow from the site map: