Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Live passive crawl misses some information about HTML forms

Nicolas | Last updated: Oct 15, 2019 09:29AM UTC

Hello, the "Form submission" feature of passive crawling misses two features when adding to the site map: - it doesn't log the parameter names and values defined in HTML forms - it doesn't set the HTTP method (i.e. use GET everytime), even if explicitly defined in HTML forms * How to reproduce Go to "Menu bar > Burp > Configuration library > New > Live passive crawling" In "Types of item to add", check "Form submissions" Give this config a name and click "OK" Go to "Dashboard > New live scan" Select "Task type = Live passive crawl, Tools scope = Proxy, URL scope = Everything" In "Scan configuration", select the the config created at the previous step Close the wizard Pause or stop other live tasks Browse a web page containing a HTML form using POST + predefined parameters: <form action="action.php" method="post">Destination: <input type="text" name="dest" value="1.2.3.4"/> <br/> <input type="hidden" name="level" value="1"/> <input type="hidden" name="token" value="ohde1aiT"/> <input type="submit" value="Go"/> </form> * Expected result A new entry in the site map, having the correct HTTP method and parameters (both name and value) -> POST /action.php with "dest=1.2.3.4&level=1&token=ohde1aiT&submit=Go" in the body * Current result Added site map entry -> GET /action.php * Note As a consequence of the current behavior, a form pointing to itself (like <form action="" method="post">) with not add anything to the site map

Burp User | Last updated: Oct 15, 2019 09:32AM UTC

Tested on Pro 2.1.04

Liam, PortSwigger Agent | Last updated: Oct 15, 2019 09:37AM UTC

Thanks for this report Nicolas. We've created a ticket to investigate further. We'll update you when we have something to share.

Alex | Last updated: Dec 04, 2020 09:01PM UTC

Any update on this? We are also seeing the same behavior in the latest version of burp pro (v2020.11.3). This definitely goes against the expected behavior and leads to inaccurate entries in the site map.

Liam, PortSwigger Agent | Last updated: Dec 07, 2020 11:51AM UTC

We have this issue logged in our development backlog. We'll update this thread when the issue is resolved.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.