Target Site Map
The site map aggregates all of the
information that Burp has gathered about applications. You can
filter and
annotate this information to help manage it, and also use the site map
to drive your testing workflow.
Target Information
The site map displays information about the contents and security issues
that have been discovered in target
applications. It lets you view the full requests and responses for individual items,
and the full details about discovered issues.
Site Map Views
The left-hand-side tree view contains a hierarchical representation of content, with
URLs broken down into domains, directories, files, and parameterized
requests. You can expand interesting branches to see further detail. If you
select one or more parts of the tree, the relevant details about all the selected items and items in
child branches are shown in the right-hand-side view.
The icons in the tree view also provide a visual indication of the
most significant security issue that has been identified within each branch or
item.
The right-hand-side view contains details of both the contents and
discovered issues for the items selected in the tree view. The contents and
issues can be displayed within separate sub-tabs or in a left/right split.
Note: You can configure your preferred view via the View sub-menu on
the context
menu.
You can pop up a new site map window, based on
the same underlying data, using the "Show new site map window" option on
the context menu. You can use the new window to display and monitor a
different selection of target items. You can also apply a different
display filter.
Contents View
The site map aggregates all of the content that Burp has observed in applications. This includes:
- All of the resources
that have been directly requested via the Proxy.
- Any items that have been
inferred by analyzing the responses to proxy requests (provided you have not
disabled passive spidering).
- Content discovered using the Spider or
content discovery
functions.
- Any items manually added by the user, from the output of other
tools.
Items in the site map that have been requested are shown in black. Items
that have not yet been requested are shown in gray. By default (with
passive spidering enabled) when
you begin browsing a typical application, a large amount of content will
appear in gray before you even get as far as requesting it, because Burp has
discovered links to it in the content that you have requested. You can
remove uninteresting content (for example, on other domains that are linked
to from your target application), by setting an appropriate
target scope and using the site map
display filter.
The contents table shows key details about each selected item (URL, HTTP status code,
page title, etc.). You can sort the table according to any column (click the
column header to cycle through ascending sort, descending sort, and
unsorted). If you select an item in the table, the request and response
(where available) for that item are shown in the request/response pane. This
contains an HTTP message editor
for the request and response, providing detailed analysis of each message.
Issues View
The issues view of the site map shows the issues that Burp Scanner has identified for
the selected items,
based on both active and
passive scanning. If you select an issue, the relevant details are displayed, including:
- A customized vulnerability advisory containing:
- A standard description of the issue type and its remediation.
- A description of any specific features that apply to the issue
and affect its remediation.
- The full requests and responses that
were the basis for reporting the issue. Where applicable, the parts of
the request and response that are relevant to identifying and
reproducing the issue are highlighted in the request and response
message editors.
- Details of any interactions with the
Burp Collaborator server that were the basis for reporting the
issue.
Often, the fastest way to reproduce and verify an issue is to use the context
menu on the message editor to send the request to Burp Repeater. Alternatively, for GET
requests, you can copy the URL and paste it into your browser. Then you can
reissue the request, and if necessary fine tune the proof-of-concept attack that
was generated by Burp.
Every issue that Burp Scanner reports is given a rating both for severity
(high, medium, low, informational) and for confidence (certain, firm, tentative).
When an issue has been identified using a technique that is inherently less
reliable (such as for blind SQL injection), Burp makes
you aware of this, by dropping the confidence level to less than certain. These
ratings should always be interpreted as indicative, and you should review
them based on your knowledge of the application's functionality and business
context.
The issues
view has a context menu that you can use to perform the
following actions:
- Report selected issues - This starts Burp Scanner's
reporting wizard, to generate a
formal report of the selected issues.
- Set severity - This lets you reassign the severity
level of the issue. You can set the severity to high, medium, low, or
informational. You can also flag the issue as a false positive.
- Set confidence - This lets you reassign the
confidence level of the issue. You can set the confidence to certain,
firm or tentative.
- Delete selected issues - This deletes the selected
issues. Note that if you delete an issue, and Burp rediscovers the same issue (for
example, if you rescan the same request), then the issue will be reported again.
If instead you mark the issue as a false positive, then this will not happen.
Therefore, deletion of issues is best used for cleaning up the scan results to remove hosts or paths you are not interested in. For unwanted issues within
the functionality you are still working on, you should use the false positive
option.
Display Filter
The site map has a display filter that can be used to hide some of its
content from view, to make it easier to analyze and work on the content you
are interested in.
The filter bar above the site map describes the current display filter.
Clicking the filter bar opens the filter options for editing. The filter can
be configured based on the following attributes:
- Request type - You can show only
in-scope items, only requested items,
only requests with parameters, or you can hide not-found items.
- MIME type - You can configure whether to show or
hide responses containing various different MIME types, such as HTML,
CSS, or images.
- Status code - You can configure whether to show or
hide responses with various HTTP status codes.
- Folders - You can optionally hide empty folders in
the tree view. This is useful to remove folders whose child items have
all been hidden by other display filter attributes.
- Search term - [Pro version]
You can filter on whether or not responses contain a specified search
term. You can configure whether the search term is a literal string or a
regular expression, and whether it is case sensitive. If you select the
"Negative search" option, then only items not matching the search term
will be shown.
- File extension - You can configure whether to show
or hide items with specified file extensions.
- Annotation - You can configure whether to show only
items with user-supplied comments or
highlights.
The content displayed within the site map is effectively a view into an underlying
database, and the display filter controls what is included in that view. If you set a filter to hide some items,
these are not deleted, only hidden, and will reappear if you unset the relevant
filter. This means you can use the filter to help you systematically examine
a complex site map to understand where different kinds of interesting content
reside.
Note: If you often use different display filters,
you can pop up additional site map windows (using the "Show new site map
window" option on the context menu), and apply a different display
filter to each window.
Annotations
In the contents table view, you can annotate items by adding comments and
highlights. This can be useful to describe the purpose of different URLs,
and to flag up interesting items for further investigation.
You can add highlights in two ways:
- You can highlight individual items using the drop-down menu on the
left-most table column.
- You can highlight one or more selected items using the "Highlight"
item on the context menu.
You can add comments in two ways:
- You can double-click the relevant entry, within the Comment column,
to add or edit a comment in-place.
- You can comment one or more selected items using the "Add comment"
item on the context menu.
When you have annotated interesting requests, you can use column sorting
and the display filter to quickly find these items later.
Testing Workflow
As well as displaying all of the information gathered about your target,
the site map enables you to control and initiate specific attacks against
the target,
using the context menus that appear everywhere. The exact options that are
available depend on the location where the context menu was invoked, and the
type of item(s) selected. The complete list of context menu actions is as
follows:
- Add to / remove from scope - These options create
new target scope rules which add or remove
the selected item(s) from scope. The rule generated will apply to the
selected item and all child branches in the tree. A common technique
when testing an application that includes some sensitive URLs is to add
the whole application path (domain or directory) to the target scope,
and then select the sensitive items and exclude them from scope.
- Scan / Spider / Send to ... - You can send any item
to other Burp tools, to perform further attacks or analysis. The ability
to send requests between tools forms the core of Burp's
user-driven
workflow. For example, you can select
a host or folder within the tree view, and perform actions on the entire
branch of the tree, such as spidering or
scanning. Or you can select an individual
item anywhere, and send the request to other Burp tools, such as
Intruder or Repeater.
- Show response in browser - You can use this to render
the selected response in your browser, to avoid the limitations of Burp's
built-in HTML renderer. When you select this option, Burp gives you a unique
URL that you can paste into your browser (configured to use the current
instance of Burp as its proxy), to render the response. The resulting browser
request is served by Burp with the exact response that you selected (the
request is not forwarded to the original web server), and yet the response
is processed by the browser in the context of the originally requested URL.
Hence, relative links within the response will be handled properly by your
browser. As a result, your browser may make additional requests (for images,
CSS, etc.) in the course of rendering the response - these will be handled
by Burp in the usual way.
- Request in browser - You can use this to re-issue
the selected request in your browser (configured to use the current
instance of Burp as its proxy). The following sub-options are available:
- In original session - This causes Burp to issue
the request using the exact Cookie header that appeared in the
original request.
- In current browser session - This
causes Burp to issue the request using the cookies supplied by your browser. You can use this feature to facilitate testing of access controls,
by selecting requests within Burp that were generated within one user context
(e.g. an administrator), and reissuing the requests within a different user
context that you are now logged in as (e.g. an ordinary user). When you
are dealing with complex, multi-stage processes, this methodology, of manually
pasting a series of URLs from Burp into your browser, is normally a lot
easier than repeating a multi-stage process over and over, and modifying
cookies manually using the Proxy.
- Engagement tools - [Pro
version] This submenu contains various useful functions for
carrying out engagement-related tasks:
- Search - [Pro
version] You can use the
Search function to
search the selected branch(es) of the site map for items matching a
specific expression.
- Find comments / scripts - [Pro
version] You can use the
Find comments /
scripts functions to search the selected branch(es) of the site
map for comments and scripts.
- Find references - [Pro
version] You can use
the Find references function
to search all of Burp's tools for HTTP responses that link to the
selected item.
- Analyze target - [Pro
version] You can use the
Target Analyzer
function to analyze the selected branch(es) of the site map and
tell you how many static and dynamic URLs it contains, and how many
parameters each URL takes.
- Discover content - [Pro
version] You can use
the Discover content function
to discover content and functionality that is not linked from visible content
which you can browse to or spider.
- Schedule task - [Pro
version] You can use
the Schedule task function to
create tasks that will run automatically at defined times and intervals.
- Generate CSRF PoC - [Pro
version] You can use the Generate CSRF PoC function to create some HTML which, when viewed
in a browser, will cause the selected request to be issued.
- Simulate manual testing - [Pro
version] The
Manual testing simulator can be used to generate HTTP traffic
that is similar to that caused by manual penetration testing.
- Compare site maps - You can use the
Compare site maps function to
identify differences between two site maps. This is a powerful feature
that can be used for various purposes, in particular testing for access
control vulnerabilities.
- Add comment - You can use this function to add a
comment to the selected table item(s). See
Annotations for more details.
- Highlight - You can use this function to apply a
highlight to the selected table item(s). See
Annotations for more details.
- Expand / collapse branch / requested items - You
can use these functions in the tree view to quickly expand whole
branches of the tree, and collapse them after you have reviewed them.
- Delete item(s) - This function removes the selected
item(s) permanently. Since by default the site map displays all content
that Burp has identified based on HTTP responses, the map will often
include a large amount of third-party content that is linked to from the
application you are interested in. You can deal with this either by
configuring a suitable target scope and
a display filter, or by manually removing
irrelevant branches of the tree.
- Copy URL(s) - This function copies the URL(s) of
the selected item(s) to the clipboard.
- Copy as curl command - This function copies to the
clipboard a curl command that can be used to generate the selected
request.
- Copy links - This function parses the selected
item(s) for links, and copies these to the clipboard.
- Save item(s) - This function lets you specify a
file to save the details of selected item(s) in XML format, including
full requests and responses, and all relevant metadata such as response
length, HTTP status code and MIME type.