Live passive crawl misses some information about HTML forms
the "Form submission" feature of passive crawling misses two features when adding to the site map:
- it doesn't log the parameter names and values defined in HTML forms
- it doesn't set the HTTP method (i.e. use GET everytime), even if explicitly defined in HTML forms
* How to reproduce
Go to "Menu bar > Burp > Configuration library > New > Live passive crawling"
In "Types of item to add", check "Form submissions"
Give this config a name and click "OK"
Go to "Dashboard > New live scan"
Select "Task type = Live passive crawl, Tools scope = Proxy, URL scope = Everything"
In "Scan configuration", select the the config created at the previous step
Close the wizard
Pause or stop other live tasks
Browse a web page containing a HTML form using POST + predefined parameters:
<form action="action.php" method="post">Destination:
<input type="text" name="dest" value="18.104.22.168"/>
<input type="hidden" name="level" value="1"/>
<input type="hidden" name="token" value="ohde1aiT"/>
<input type="submit" value="Go"/>
* Expected result
A new entry in the site map, having the correct HTTP method and parameters (both name and value) -> POST /action.php with "dest=22.214.171.124&level=1&token=ohde1aiT&submit=Go" in the body
* Current result
Added site map entry -> GET /action.php
As a consequence of the current behavior, a form pointing to itself (like <form action="" method="post">) with not add anything to the site map
Thanks for this report Nicolas. We’ve created a ticket to investigate further. We’ll update you when we have something to share.