Burp Suite User Forum

Create new post

2 requests with the same URL but different HTTP methods are not getting added to the Site Map

Akash | Last updated: May 25, 2018 07:03AM UTC

Suppose, we have a GET request and a PUT request with the exact same URL. GET https://test.com/xyz PUT https://test.com/xyz Only one of them( the one that is intercepted/invoked last) gets added to the sitemap. If I intercept or invoke GET from Repeater, it gets added to the Site map alright. But then When I invoke the PUT request afterwards, the GET request gets replaced by the PUT request in the Site map and the initial GET request is not to be seen anywhere in the Site map. This will affect the scans, since the first captured request will not be scanned at all as it will not be in the site map. One has to manually send such requests to the scanner. This can become a daunting task if the application is big and there are many such requests. Can you please let us know why do we see this behavior? Anything that we can tweak to get both the requests in the Sitemap?

PortSwigger Agent | Last updated: May 25, 2018 07:58AM UTC

Hi Akash, Thanks for reporting this. This is part of the current Site Map design, which unfortunately doesn't suit modern REST APIs so well. We do intend to update Site Map to handle this, but due to the design it's a non-trivial change. In the meantime, we recommend you use Proxy History more. You can set the filter so only in-scope items are displayed, then select a range and send them to the Scanner. Although a little convoluted, this should do what you need. We'll let you know when we make progress on the Site Map.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.