Burp Suite, the leading toolkit for web application security testing

Target Site Map

The site map aggregates all of the information that Burp has gathered about applications. You can filter and annotate this information to help manage it, and also use the site map to drive your testing workflow.

Target Information

The site map displays information about the contents and security issues that have been discovered in target applications. It lets you view the full requests and responses for individual items, and the full details about discovered issues.

Site Map Views

The left-hand-side tree view contains a hierarchical representation of content, with URLs broken down into domains, directories, files, and parameterized requests. You can expand interesting branches to see further detail. If you select one or more parts of the tree, the relevant details about all the selected items and items in child branches are shown in the right-hand-side view.

The icons in the tree view also provide a visual indication of the most significant security issue that has been identified within each branch or item.

The right-hand-side view contains details of both the contents and discovered issues for the items selected in the tree view. The contents and issues can be displayed within separate sub-tabs or in a left/right split. Note: You can configure your preferred view via the View sub-menu on the context menu.

You can pop up a new site map window, based on the same underlying data, using the "Show new site map window" option on the context menu. You can use the new window to display and monitor a different selection of target items. You can also apply a different display filter.

Contents View

The site map aggregates all of the content that Burp has observed in applications. This includes:

Items in the site map that have been requested are shown in black. Items that have not yet been requested are shown in gray. By default (with passive spidering enabled) when you begin browsing a typical application, a large amount of content will appear in gray before you even get as far as requesting it, because Burp has discovered links to it in the content that you have requested. You can remove uninteresting content (for example, on other domains that are linked to from your target application), by setting an appropriate target scope and using the site map display filter.

The contents table shows key details about each selected item (URL, HTTP status code, page title, etc.). You can sort the table according to any column (click the column header to cycle through ascending sort, descending sort, and unsorted). If you select an item in the table, the request and response (where available) for that item are shown in the request/response pane. This contains an HTTP message editor for the request and response, providing detailed analysis of each message.

Issues View

The issues view of the site map shows the issues that Burp Scanner has identified for the selected items, based on both active and passive scanning. If you select an issue, the relevant details are displayed, including:

Often, the fastest way to reproduce and verify an issue is to use the context menu on the message editor to send the request to Burp Repeater. Alternatively, for GET requests, you can copy the URL and paste it into your browser. Then you can reissue the request, and if necessary fine tune the proof-of-concept attack that was generated by Burp.

Every issue that Burp Scanner reports is given a rating both for severity (high, medium, low, informational) and for confidence (certain, firm, tentative). When an issue has been identified using a technique that is inherently less reliable (such as for blind SQL injection), Burp makes you aware of this, by dropping the confidence level to less than certain. These ratings should always be interpreted as indicative, and you should review them based on your knowledge of the application's functionality and business context.

The issues view has a context menu that you can use to perform the following actions:

Display Filter

The site map has a display filter that can be used to hide some of its content from view, to make it easier to analyze and work on the content you are interested in.

The filter bar above the site map describes the current display filter. Clicking the filter bar opens the filter options for editing. The filter can be configured based on the following attributes:

The content displayed within the site map is effectively a view into an underlying database, and the display filter controls what is included in that view. If you set a filter to hide some items, these are not deleted, only hidden, and will reappear if you unset the relevant filter. This means you can use the filter to help you systematically examine a complex site map to understand where different kinds of interesting content reside.

Note: If you often use different display filters, you can pop up additional site map windows (using the "Show new site map window" option on the context menu), and apply a different display filter to each window.


In the contents table view, you can annotate items by adding comments and highlights. This can be useful to describe the purpose of different URLs, and to flag up interesting items for further investigation.

You can add highlights in two ways:

You can add comments in two ways:

When you have annotated interesting requests, you can use column sorting and the display filter to quickly find these items later.

Testing Workflow

As well as displaying all of the information gathered about your target, the site map enables you to control and initiate specific attacks against the target, using the context menus that appear everywhere. The exact options that are available depend on the location where the context menu was invoked, and the type of item(s) selected. The complete list of context menu actions is as follows:

Support Center

Get help and join the community discussions at the Burp Suite Support Center.

Visit the Support Center ›

Tuesday, October 6, 2015


This release adds the ability to annotate the active scan queue with comments and highlights, as is already possible in the Proxy history and Target site map

A number of other fixes and enhancements have also been applied.

See all release notes ›

Copyright © 2015 PortSwigger Ltd. All rights reserved.