Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Crawl and audit SPA application

Alin | Last updated: Aug 21, 2020 11:49AM UTC

Hello, I understood from the release plan that future releases will include upgraded scan features. I have in mind a case where today I cannot use Burp to do a vulnerability assessment scan and am curious if I'm missing something or it will be a feature in next releases: - the app in cause is a SPA (Angular as a UI framework). The application is rendering HTML in the following subdomain: dev.target.com. On dev.target.com/login there is a login form, but that request is sent to api-dev.target.com (with credentials). As normal, in Burp's Site Map tab we have two entries, one for api-dev and another for dev. The issue that arise is that we cannot scan both subdomains in the same context (as far as I know). Burp is unable to do an authenticated scan in api-dev, because it doesn't find a login form. And if I start a scan on dev.target.com, I'm not sure if it will send requests to api-dev. Lately, I encountered multiple apps which use a UI framework on a subdomain, but all the calls that retrieve data are on a different subdomain and I don't know how best to use Burp to do an assessment on them. Thank you, Alin

Liam, PortSwigger Agent | Last updated: Aug 24, 2020 10:43AM UTC

We're due to release a recorded login feature next month for Burp Suite Pro. Please let us know if you have any issues with the new feature.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.