Using Burp's Engagement Tools

Burp Suite's Engagement Tools are designed to enhance the testing process. The tools automate search and reconnaissance tasks to make your testing faster and more efficient. This article provides a description of each tool and an example of how it might be used.

Search

You can perform suite-wide searches by selecting "Search" within "Engagement tools" in the context menu.

The search dialog lets you configure the following options:


  • The expression to search for.
  • Whether the search is case sensitive, a literal string or a regular expression.
  • Whether the search should show "negative" matches or whether the search is restricted to in-scope items only.
  • Whether the search results should dynamically update as new HTTP messages are processed by Burp tools.
  • Which locations to search within HTTP messages (requests vs. responses, headers vs. body).
  • Which tools to search in.

Find comments / scripts / references

You can use these functions to search part or all of the Target site map for comments and scripts. You can start the search by selecting part or all of the site map tree, and choosing "Find comments" or "Find scripts" within "Engagement tools" in the site map context menu.

In the search dialog, use the "Search" button to perform the search (or re-perform it later).

Details of the discovered items are shown in a sortable table. The preview pane shows the full request and response for the selected item, with relevant items automatically highlighted, and also extracted into their own tab. The context menu can be used to send requests to Burp tools and carry out other actions.

In this example we have found comments that refer to the origin of the data. However, comments can often include more sensitive information.

The search scripts function provides a convenient way to map these items for further investigation.

Analyze Target

This function can be used to analyze a target web application and tell you how many static and dynamic URLs it contains, and how many parameters each URL takes. This can help you assess how much effort a penetration testing engagement is likely to involve, and can help you decide where to focus your attention during the test itself.

The Target Analyzer dialog contains the following tabs:


  • Summary - This shows the total number of dynamic URLs, static URLs, parameters, and unique parameter names.
  • Dynamic URLs - This lists all of the URLs that were observed to accept parameters.
  • This lists all of the URLs that were not observed to take parameters.
  • Parameters - This lists each uniquely named parameter, and a count of the URLs in which it appears.

The example demonstrates how the Target Analyzer can be used to list and locate a specific parameter.

Discover Content

This function can be used to discover content and functionality which is not linked from visible content that you can browse to or spider.

To access this function, select an HTTP request anywhere within Burp, or any part of the Target site map, and choose "Discover content" within "Engagement tools" in the context menu.

Discovered content is displayed within a special site map that is specific to the discovery session, and can also optionally be added to the main suite site map.

Discovered content is displayed within a special site map that is specific to the discovery session, and can also optionally be added to the main suite site map.

In the example, we have located the robot.txt file. During testing this functionality can uncover admin or test pages.

Schedule task

You can use the task scheduler to automatically start and stop certain tasks at defined times and intervals. You can use the task scheduler to start and stop certain automated tasks out of hours while you are not working, and to save your work periodically or at a specific time.

To access this function, select an HTTP request anywhere within Burp, or any part of the target site map, and choose "Schedule task" within "Engagement tools" in the context menu.

Using the wizard we have demonstrated how to resume active scanning at a specific time and date.

Simulate manual testing

To access this function, select part of the Target site map, and choose "Simulate manual testing" within "Engagement tools" in the context menu.

This function won't exactly enhance your productivity, but you may sometimes find it useful nonetheless. The function sends common test payloads to random URLs and parameters at irregular intervals, to generate traffic similar to that caused by manual penetration testing. Only items that you selected in the site map will be requested.

Generate CSRF PoC

To access this function, select a URL or HTTP request anywhere within Burp, and choose "Generate CSRF PoC" within "Engagement tools" in the context menu.

You can learn more about using this tool in our article for Using Burp to Test for Cross-Site Request Forgery and our official documentation.