Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

About the login sequence and some pages with the same URL

木住野奈夫人 | Last updated: Jun 07, 2021 06:59AM UTC

Hi support, I have 2 questions. 1. About the login sequence. I have a login sequence that crosses through multiple pages. If I set this login sequence for a scan, will these pages in the login sequence be scan in the audit phase? 2. About some pages with the same URL. Our web application has a page that has an input form. If we submit the form, it will go to the next page without changing the URL. The page changing based on the parameters set in javascript. Is it possible to make Burp Suite Enterprise crawl the pages that have the same URL but with different parameters? Or, is it possible to scan the same URL but with different parameters in the audit phase? For example - Different page with the same URL 1. Input form page URL: "ourproduct.com/inquire" 2. Input some info and submit the form 3. Move to the next page with a different form URL: "ourproduct.com/inquire" 4. Submit the form in #3 5. Move to the next page. It has some message on the page. URL: "ourproduct.com/inquire" Regards, Nk

Maia, PortSwigger Agent | Last updated: Jun 07, 2021 02:08PM UTC

Hi,

Thank you for your message.
If you are using recorded logins and the pages in the login sequence are within the site scope then they should be scanned. You can check that they have been scanned on the Scanned URLs tab.

We do have some limited support for single-page applications. I recommend trying to scan the site with the embedded browser enabled and seeing if you get the expected results. If you are a recorded login in your scan then that scan will already be using the embedded browser for crawling and auditing, otherwise you can enable it in your scan configuration by setting "Crawling > Miscellaneous Use embedded browser for crawl and audit" to "Yes".

SPA support is something that we are actively working on improving and can be found on our roadmap here.

木住野奈夫人 | Last updated: Jun 08, 2021 09:04AM UTC

Thank you for your answer. I have one more question. It is about the following crawling flow. https://portswigger.net/burp/documentation/images/crawling/crawling-3.svg How does burp identify the elements of the form and give it valid parameters when submitting the form?

Maia, PortSwigger Agent | Last updated: Jun 08, 2021 04:52PM UTC

Hi, We have a blog post that explains this nicely: https://portswigger.net/blog/web-application-cartography-mapping-out-burp-suites-crawler

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.