Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Enable parameters to be identified in a Target Analysis

Bruce | Last updated: Mar 21, 2018 12:56PM UTC

I am running an instance of BURP Pro (v1.7.32) with both Passive and Active scanning enabled. When I run a Target Analysis and review what parameters were identified no of the password parameters were identified. Which concerns since if we are missing this parameter what others are missing. Are there any configuration settings to enable capturing of all parameters? It makes it difficult to depend on the analysis if it is not complete. Thanks Bruce

Liam, PortSwigger Agent | Last updated: Mar 21, 2018 02:33PM UTC

Have you fully mapped your application using Burp Suite? - https://support.portswigger.net/customer/portal/articles/1783108-recon-and-analysis-with-burp-suite The function only analyzes the content already captured within the site map, so you should ensure that you have fully mapped all of the application's content and functionality before running it. - https://portswigger.net/burp/help/suite_functions_targetanalyzer

Burp User | Last updated: Mar 22, 2018 01:17PM UTC

Hi Liam I am more interested at this point in what is being identified as a parameter. In the example below there are fields in the body which are entry points values submitted by the end user. These include name, password, role_id and local_domain_ids. Should these be identified as a parameter? POST /api/rest/domain_user HTTP/1.1 Host: 10.10.10.7 Connection: close Content-Length: 75 Dell-Custom-AuthZ: true Origin: https://10.10.10.7 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 Content-Type: application/json Accept: */* Referer: https://10.10.10.7/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 {"name":"test","password":"Somepassword1","role_id":"7","local_domain_ids":"5"}

Liam, PortSwigger Agent | Last updated: Mar 22, 2018 01:21PM UTC

Yes, they should be identified as parameters. However, they will not be identified unless they have been mapped in Burp Suite.

Burp User | Last updated: Mar 23, 2018 02:56PM UTC

They are mapped in the site map but are not identified as Parameters when run an Analyze Target. These parameters are entries submitted through API requests in JSON format (as seen in the POST example).

Liam, PortSwigger Agent | Last updated: Mar 23, 2018 02:59PM UTC

Sorry Bruce, you're correct, Burp's Target Analyzer isn't identifying JSON parameters. I've made a note of this in our development backlog. Unfortunately, we can't provide an ETA.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.