Ensure IP is localhost IP & port is 8080. Target – OWASP Broken Web Application VM, IP = 192.168.0.160įirst, start burpsuite and check details under the proxy tab in Options sub-tab. Scenario: Attacker – Kali Linux VM, IP = 192.168.0.105 It helps the pentester to identify the scope & archetecture of the web-application.As described earlier, burpsuite has it’s own spider called the burp spider which can crawl into a website. Spidering is a major part of recon while performing Web security tests. Request/Response Details – The HTTP requests made & the responses from the servers.Requests Queue – Displays the requests being made.Sitemap View – Displays the sitemap once spider has started.Tool & Options selector Tabs – Select between Various tools & settings of burpsuite.They are described against the corresponding numbers as follows: In the above figure there are mainly 4 sections. The above figure shows the options & details about the target. Like any other GUI/Windows tool, burpsuite contains a standard menu bar, 2 rows of tabs & different set of panels as seen below. Before starting the burp spider, burpsuite has to to be configured to intercept the HTTP traffic. The burp spider is a program which crawls into all the pages of a target specified in the scope. The crawler is also reffered to as a spider or automatic indexer.īurpsuite has got its own spider called the burpspider. Precisely a web crawler maps the structure of a website by browsing all its inner pages. Comparer & Decoder used for misc purposes that might come along the way when you conduct a Web Security testĪ web crawler is a bot program which systematically browses the pages of a website for the purpose of indexing.Extensibility, allowing you to easily write your own plugins, to perform complex and highly customized tasks within Burp.Sequencer: Used mainly for testing/fuzzing session tokens.Repeater: Used for manipulating and resending individual requests.Intruder: Used to perform attacks & brute-forces on pages in a highly customize-able manner.Scanner: Automatically scans for vulnerabilities just like any other automated scanners.Application-Aware Spider: Used for spidering/crawling a given scope of pages.