Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Scanned URLs (sitemaps) for Single Page web Application (SPA)

Gaku | Last updated: Mar 17, 2022 07:02AM UTC

Hi. I'm evaluating Burp Enterprise as a tool to scan Single Page web Applications (SPA). We cannot see any dynamic URLs in Scanned URLs tab in the scan result when the target application uses a router(e.g., Vue Router, React Router). I found a past comment from a PortSwigger guy about this issue. https://forum.portswigger.net/thread/test-single-page-apps-spa-b6cd31c291 He said that > The site map and logger only capture HTTP traffic and will, as such, not accurately map pages in a SPA that did not have synchronous requests as part of their load Do you have any plan to improve this? It's very inconvenient not to see dynamic URLs.

Uthman, PortSwigger Agent | Last updated: Mar 17, 2022 10:53AM UTC

Hi Gaku,

Can you share some sample URLs, please?

Are you expecting to see URLs with fragments (#) in the Scanned URLs tab?

Is this affecting your overall scan results? Or are you getting complete scans with the latest version (2022.2.3) of the scanner? We have added a number of improvements to SPA scanning over the last few releases.

Gaku | Last updated: Mar 22, 2022 07:07AM UTC

Sorry for my late replying.. > Can you share some sample URLs, please? Not only URLs with fragments (#) but also normal URL. For example, https://example.com/my_page_1 https://example.com/my_page_2 https://example.com/page#page1 https://example.com/page#page2 JavaScript routing library such as Vue Router and React Router can render page contents based on URL changes with link without any network access. Here is a good example. You can jump between pages without network access. https://v5.reactrouter.com/web/example/basic > Is this affecting your overall scan results? Or are you getting complete scans with the latest version (2022.2.3) of the scanner? I can scan a test web application with `v2022_2_1` version. IMO, this is the latest release of Burp Enterprise. 2022.2.3 is a release of Burp Suite, right? I've confirmed that Burp can scan the dynamic URLs based on a debug log. But I wonder that we can confirmed it from `Scanned URLs` tabs.

Uthman, PortSwigger Agent | Last updated: Mar 22, 2022 08:46AM UTC

Hi Gaku,

Thanks for clarifying that. Great to hear that it is not impacting the actual scan results!

Our developers are looking into this for the long term so we will let you know if/when it is implemented.

To clarify, the scanner versions coincide with the latest stable release of Burp Suite Professional. At the time of writing my reply, that was 2022.2.3.

Gaku | Last updated: Apr 04, 2022 06:48AM UTC