Burp Suite User Forum

Login to post

Live passive crawl misses some information about HTML forms

Nicolas | Last updated: Oct 15, 2019 09:29AM UTC

Hello, the "Form submission" feature of passive crawling misses two features when adding to the site map: - it doesn't log the parameter names and values defined in HTML forms - it doesn't set the HTTP method (i.e. use GET everytime), even if explicitly defined in HTML forms * How to reproduce Go to "Menu bar > Burp > Configuration library > New > Live passive crawling" In "Types of item to add", check "Form submissions" Give this config a name and click "OK" Go to "Dashboard > New live scan" Select "Task type = Live passive crawl, Tools scope = Proxy, URL scope = Everything" In "Scan configuration", select the the config created at the previous step Close the wizard Pause or stop other live tasks Browse a web page containing a HTML form using POST + predefined parameters: <form action="action.php" method="post">Destination: <input type="text" name="dest" value=""/> <br/> <input type="hidden" name="level" value="1"/> <input type="hidden" name="token" value="ohde1aiT"/> <input type="submit" value="Go"/> </form> * Expected result A new entry in the site map, having the correct HTTP method and parameters (both name and value) -> POST /action.php with "dest=" in the body * Current result Added site map entry -> GET /action.php * Note As a consequence of the current behavior, a form pointing to itself (like <form action="" method="post">) with not add anything to the site map

Burp User | Last updated: Oct 15, 2019 09:32AM UTC

Tested on Pro 2.1.04

Liam, PortSwigger Agent | Last updated: Oct 15, 2019 09:37AM UTC

Thanks for this report Nicolas. We've created a ticket to investigate further. We'll update you when we have something to share.

You need to Log in to post a reply. Or register here, for free.