Burp Suite User Forum

Login to post

Spidering + Form Submission

Karthik | Last updated: May 13, 2015 07:17AM UTC

I am spidering a website. While spidering I have selected "Automatically submit using the following rules to assign text field values" I have given a field name and field value and enabled it to be submitted. If there appears a value that is not in the list that I have given and let us assume I have not defined/selected "Set unmatched fields to:" field as well. In that case, when Burpsuite encounters a field that is not matched above, what will be the response ? will users be prompted to submit value for that field ? Could you please clarify ?

PortSwigger Agent | Last updated: May 13, 2015 07:58AM UTC

If you don't define/select the "Set unmatched fields to" option then Burp will submit any unmatched text fields with empty values.

Burp User | Last updated: May 13, 2015 09:19AM UTC

Thanks for the response. Question 1: If I am going to use this spider results to then scan(Active scan - XSS/SQL injection) the websites, will these parameters (for which empty values were submitted) also considered for scan ? Question 2: If after submitting empty values, the websites returns the same form again (as it was incomplete), how ill Burpsuite handle this ? Will the form be submitted infinitely ?

PortSwigger Agent | Last updated: May 13, 2015 11:23AM UTC

1. Yes, the Scanner will still test any empty parameters in the usual way. 2. No, the Spider won't submit the form again in this situation.

Burp User | Last updated: May 13, 2015 12:32PM UTC

Dafydd - Thanks for your response. This clarifies my query.

You need to Log in to post a reply. Or register here, for free.