Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Live passive crawl misses some information about HTML forms

NIcolas Grégoire Oct 15, 2019 09:29AM UTC


the "Form submission" feature of passive crawling misses two features when adding to the site map:
- it doesn't log the parameter names and values defined in HTML forms
- it doesn't set the HTTP method (i.e. use GET everytime), even if explicitly defined in HTML forms

* How to reproduce

Go to "Menu bar > Burp > Configuration library > New > Live passive crawling"
In "Types of item to add", check "Form submissions"
Give this config a name and click "OK"

Go to "Dashboard > New live scan"
Select "Task type = Live passive crawl, Tools scope = Proxy, URL scope = Everything"
In "Scan configuration", select the the config created at the previous step
Close the wizard

Pause or stop other live tasks

Browse a web page containing a HTML form using POST + predefined parameters:

<form action="action.php" method="post">Destination:
<input type="text" name="dest" value=""/>
<input type="hidden" name="level" value="1"/>
<input type="hidden" name="token" value="ohde1aiT"/>
<input type="submit" value="Go"/>

* Expected result

A new entry in the site map, having the correct HTTP method and parameters (both name and value) -> POST /action.php with "dest=" in the body

* Current result

Added site map entry -> GET /action.php

* Note

As a consequence of the current behavior, a form pointing to itself (like <form action="" method="post">) with not add anything to the site map

NIcolas Grégoire Oct 15, 2019 09:32AM UTC
Tested on Pro 2.1.04

Liam Tai-Hogan Oct 15, 2019 12:39PM UTC Support Center agent

Thanks for this report Nicolas. We’ve created a ticket to investigate further. We’ll update you when we have something to share.

Post Your public answer

Your name
Your email address