0

I just started working with Burp professional suite 2.0.6 beta. After proxy recording, I just right-click and perform the scan with default configuration.

I want to know exactly what happens in that scan. It covers pen testing, but how?

Does it sends requests to the server and analyze the response, if so, take an example of POST API call. Does Burp replaces the input and sends the call to the server?, but in UI, I can't see any new thing(as POST method) created. Then how does Burp analyzes response?

In my application, if a Form is submitted, the response will be "Form Submitted. Submitted ID:9898" which is JSON output.

Some one please guide or teach me the correct things on how exactly Burp scans a request.

Bala
  • 184
  • 3
  • 19

1 Answers1

1

You can use the Logger++ extension from the BApp store to monitor activity from Burp Scanner:

PortSwigger
  • 277
  • 1
  • 8
  • Thanks, will try it. – Bala Oct 05 '18 at 12:39
  • By using Logger++, I can see changes in the request and its respective response. As I asked above, a POST(create form) call is sent to the server, but in UI of the application, no form is created based on that request. Can you explain me bit more. – Bala Oct 08 '18 at 05:38
  • And I can't scan a single API call. It scans all the things under Proxy History. – Bala Oct 08 '18 at 06:28
  • 2
    @Bala - This is probably more suited for an email to support@portswigger.net Sounds like the application is rejecting the form POST, perhaps is failed validation or was missed an anti-CSRF token. The responses in Logger++ should show more. If you select a single item in Proxy History, right-click and scan, then Burp will scan just that. – PortSwigger Oct 08 '18 at 10:33
  • Now I am able to scan the single request. But how can I change one of its headers and perform the scan? And also, I found a huge difference in request count under Dashboard that, when I do right click and scan from Site Map, requests count is very less comparing with scan a single request. Why is it so ? – Bala Oct 08 '18 at 13:40
  • @Bala - Right-click request, send to Repeater, make your edits, right-click > Scan. If you create a scan on the Dashboard, it does a crawl and audit which involves more requests than auditing a single item. Any more questions to support@portswigger.net – PortSwigger Oct 08 '18 at 14:04
  • Does burp scanner sends and validates requests sequentially or in parallel?? In logger, I can see many requests but can't identify whether its parallelly or sequentially. – Bala Oct 17 '18 at 07:47
  • @Bala - It's configurable but normally 10 requests in parallel – PortSwigger Oct 17 '18 at 09:13