Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp Spider deleted controls in a SalesForce application

Don | Last updated: May 18, 2018 02:27AM UTC

Hi - We recently spidered a Salesforce application and this resulted to changes in the application such as: Deleted custom field Changed the UI Skin Changed Enable Drag-and-Drop Editing on Calendar Views from on to off Changed formula of Month custom field etc The Automatically Submit forms was enabled. Why would burp spider be able to do these things. What default values does burp provide in submitting forms that could have caused these changes? Pls. help as we are being asked to do RCA. Thanks!

PortSwigger Agent | Last updated: May 18, 2018 07:23AM UTC

Hi Don, Thanks for getting in touch. It is quite normal that Burp Spider will sometimes cause this kind of damage. We recommend that you run Spider (and other tools) is a test environment so such behavior doesn't have a business impact. You can see the dummy data that Spider uses for forms by looking in Spider > Options > Form Submission. You can configure Spider to not submit forms, although this reduces the parts of your application reached during the Spider, reducing the benefit of any scanning. In theory, well designed applications should only change state with POST requests, although we find in practice many applications change state with GET requests, so even when disabling form submission, Spider can still cause damage. Please let us know if you need any further assistance.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.