Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Crawl with letters or specified values in body text fields

asdf | Last updated: Sep 30, 2020 08:17PM UTC

I'm trying to crawl a site with multiple pages and Burp Pro doesn't get past the first page which has several text fields (type=text) for e.g. FirstName which it fills it with numbers. And it keeps trying with different random numbers instead of letters. How can I specify Burp Pro to use letters and crawl pages with several text fields.

Michelle, PortSwigger Agent | Last updated: Oct 01, 2020 10:45AM UTC

Could you tell us a bit more about your setup and the site you are trying to scan, please? - Which version if Burp are you using? - Are you using the embedded browser for the crawl and audit of the site? - Could you tell us a bit more about the first page, is this a login page? If you'd prefer to share this detail directly, feel free to email support@portswigger.net

asdf | Last updated: Oct 01, 2020 02:21PM UTC

I'm using Burp Suite Professional v2020.2.1 and yes "Embedded Browser" option has been selected for crawling. There is NO login or any kind of authentication. First page has some required text fields (type=text) e.g. name, occupation etc. that ONLY accept letters and after successful validation it moves on to next page. This is an unauthenticated open public facing app. In Burp Pro, I'm selecting a new scan with ONLY "Crawl" option, specifying target URL and scope. For scan configuration, I'm selecting a new crawl configuration with "Use browser based navigation" is checked. For now I don't want Burp Pro to scan (audit) the app. but just submit the forms and crawl the app. to idenfity all URLs. It keep sending multiple request for the first page with different random numbers instead of letters. How can I specify to crawl that page and use letters for those text fields. Hope this make sense and thanks for your help!!

Michelle, PortSwigger Agent | Last updated: Oct 02, 2020 11:00AM UTC

Thanks for the update. I'm afraid you can't specify what the crawler will enter into the fields but it would be good to understand more about what you are seeing and about the form. Would you be happy to email us directly using support@portswigger.net and share some more details? Do you only see it try with numbers or do you also see any separate attempts that use letters? Do you see the same requests using the latest release?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.