Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Spider a application with form based login

Christian | Last updated: Jun 16, 2015 08:49AM UTC

For spidering I filled in the scope at Target > Scope. And at Spider > Options I used for "Application Login" > "Prompt for guidance". But after running the spider as "Spider from here" (as it was the / site) only a small requests are made. If I do not use login, I get over 1000s of requests. 1) Do I see which requests are sent and what the responses are? Proxy > "HTTP history" doesn't show any new URLs. 2) It still says "Spider is running" but the "Requests made" are constant for half an hour. What is the right interpretation of that? 3) I clicked on "Spider is running" to pause the spider, but "Clear queues" doesn't have any effect. Still the "Requestes made" are there. 4) After minutes "Clear queues" are still without effect. To reset I have to close Burp :-( 5) Can I define a token, so the application knows, that it is logged out? Like at ZAP (another proxy), where I can define a "Welcome, <name>". And if I'm logged out, it automatically logs in? 6) Thanks, Chris

PortSwigger Agent | Last updated: Jun 16, 2015 02:24PM UTC

Thanks for your questions. Answers are as follows: 1. You can install the Custom Logger extension in the BApp Store to show a log of all requests made by all tools. 2. The "Spider is running" toggle button indicates that the Spider is either working or ready to work when something is available to do. It just means that the Spider is not explicitly paused. You can see whether any requests are pending via the "Requests queued" and "Forms queued" values. 3. Clearing the queues will remove the pending items in the Spider's queues (items that are due to be requested but not yet done). It won't affect the number of requests already made. 4. If you have any items in the Spider's queues, then clicking "Clear queues" should immediately clear these, and you should see 0 reported as the two queue sizes in the UI. 5. Yes, you can do this with session handling rules. You can define a macro to perform a login sequence, and a session rule that validates whether your session is currently valid, and executes the macro if it is not. Details are here: http://portswigger.net/burp/help/options_sessions.html Hope that helps.

Burp User | Last updated: Jun 16, 2015 04:08PM UTC

Thanks Dafydd, yes it helped a lot. I worked through the help docs and get used to the habit of burp.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.