Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

How do I use burp suite to scan hidden fields automatically

Adam | Last updated: Jun 01, 2017 09:08PM UTC

How do I use burp suite to scan hidden fields that show up when I spider a website. When I spider a website, I get two option submit or ignore. How do I test those hidden fields automatically to make sure no one can use those to get any access or data from the website.

PortSwigger Agent | Last updated: Jun 02, 2017 07:55AM UTC

When you use Scanner, hidden fields are automatically included. There is some more information about this here: - https://portswigger.net/burp/help/scanner_using.html When using Spider, you will typically want to submit forms, to get a full map of the application. However, take care - certain forms, such as "delete" could cause problems on your target website.

Burp User | Last updated: Jun 02, 2017 03:21PM UTC

Hey Paul thank you for the article I did read over it, I did not find any information says about how it scans hidden fields. Can you paste some of it here. When I get a message to submit forms, I have been selecting submit not Ignore.

PortSwigger Agent | Last updated: Jun 05, 2017 09:12AM UTC

You don't need to do anything particular to scan hidden fields. When you submit a form, the browser includes hidden fields, and Spider simulates this. When you run Active Scan on a form submission, Scanner will identify the hidden fields as Insertion Points, and run the configured set of attacks.

Burp User | Last updated: Jun 06, 2017 02:21PM UTC

Ok, that is great information Paul Thank you very much Is there a way to log that action to look it over?? Adam

PortSwigger Agent | Last updated: Jun 06, 2017 02:30PM UTC

You can use the Logger++ plugin to see the full attack. Be aware that even a simple scan can get pretty big!

Burp User | Last updated: Jun 06, 2017 03:08PM UTC

I was looking at the BApp Store I saw logger I was just going to asked you about this Paul How does the Logger clean itself out ?

PortSwigger Agent | Last updated: Jun 07, 2017 07:04AM UTC

I recommend Logger++ over Logger. In the Options tab it has a button to "Clear the logs"

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.