Using the Target tool

  • Last updated: January 20, 2023

  • Read time: 3 Minutes

The Target tool gives you an overview of your target application's content and functionality, and lets you drive key parts of your testing workflow. The key steps that are typically involved in using the Target tab are described below.

Manual application mapping

First, map the target application manually. To do this, carry out the following steps:

  • Launch Burp's browser.
  • Browse the entire application manually.
  • Follow every link, submit every form, step through every multi-stage process, and log in to all protected areas.

This manual mapping process will populate the Target site map with all of the content requested via the Proxy, and also (via live passive crawling) any further content that can be inferred from application responses (via links, forms, etc.). This manual mapping process will build up a fairly complete record in the site map of all the visible application content, and also fully familiarize you with the application.


For some use cases, Burp's automated crawler is superior to manual application mapping, because it captures the navigational paths through the application in a way that lets Burp Scanner automatically maintain session when auditing the application. Manual mapping, on the other hand, allows a human user to guide the process, avoiding potentially dangerous functionality, and verifying that navigational actions have the expected results. The choice of manual versus automated mapping very much depends on the nature of the application and your intended use of the results.

Defining Target scope

When the initial application mapping is completed, this is a good time to define your Target scope, by selecting branches within the site map and using the Add to scope / Remove from scope commands on the context menu. You can then configure suitable display filters on the site map and Proxy history, to hide from view items that you are not currently interested in.

Reviewing unrequested items

Review the site map for any items in your target that have been detected via live passive crawling but have not yet been requested. These items are shown in gray in the site map. You can also quickly locate unrequested items by selecting the whole application in the tree view, and sorting the table view on the Time requested column (by clicking the column header) - unrequested items will then be grouped together. You should manually review these items (for example, by copying each URL into Burp's browser) to confirm whether they contain any further interesting content.

Discovering hidden content

Having mapped all of the application's visible content (i.e. that which can be observed by browsing the application and following all links), you can optionally carry out some automated actions to identify further "hidden" content that is not linked from visible content:

Analyzing the attack surface

When you are satisfied that you have mapped all of the application's content and functionality, you should review the contents of the site map (together with the Proxy history) to understand the attack surface that the application exposes. You can use the following site map features to support this task:

  • You can select branches of the site map tree and use the Target analyzer function to identify all of the dynamic URLs and parameters.
  • You can use the display filter, and sortable table view, to systematically work through a complex site map and understand where different kinds of interesting content reside.
  • You can annotate items with highlights and comments, to describe their purpose or identify interesting items to come back to later.

Target tool testing workflow

Having fully mapped the application and assessed its attack surface, you can drive your detailed vulnerability testing workflow from the site map:

Was this article helpful?