Full training is available for free at:
http://hackademy.aetherlab.net
In this lecture we are going to discuss two modules, the Target and the Spider. I will show how you can use the Target module to get a better understanding of the structure and how to use the Spider to discover every hidden parts of the target application.
Website: http://aetherlab.net
Blog: / gergely.revay
Trainings:
Web Hacking: Become a Web Pentester - https://hackademy.aetherlab.net/p/web...
Learn Burp Suite, the Nr. 1 Web Hacking Tool - https://hackademy.aetherlab.net/p/bur...
Reverse Engineering with Radare2 - https://hackademy.aetherlab.net/p/rad...
Video Transcript:
All right. In this section we are gonna talk two modules, and these two are gonna be the Target and the Spider. First, just a quick summary what they do and then we will go into details. So the Target, you will actually quickly figure it out, but the Target is just a structured view of what’s gone through your Burp. So you see here everything whatever as your Burp Suite in a very well structured view. And the Spider is a web spider so if you’re familiar with the concept of webcrawling or webspidering, then that’s exactly what it does. So it’s gonna try to discover the whole application for you to find out all the existing pages. So what it does, it’s gonna start from, I actually tried to draw it for you. So it’s gonna start with one page and then collect all the references on that page to other pages. This could like an HR&F or some JavaScript reference or a form what you can submit or anything like that. And so it collects all these references and then loads them and do the same on the new page. So it loads this one as well, do it here as well. So that’s how it discovers all the available sites. At the end, what you’re gonna have is a tree where all the nodes are pages and all the links are references between those pages. Right. So you will have a really good overview what’s in your application. This is good because sometimes, you could do this manually, so you could come to, for instance, to the WebGoat and then start clicking all the links and start submitting everything. But for one, it would take a lot of time and it’s also possible that you don’t see everything because, for instance, a link was hidden on the page or there was a hidden form or something was in a command. So it’s possible that you just don’t see it here on the interface, but it’s still in your HTML code. And the Spider will load that as well, and it’s also much faster than you so that’s why the Spider is good.
There are also disadvantages of using the Spider. I actually don’t use it that much because the Spider is gonna click on more or less on everything. So it can also delete something from your application. So if there’s something in the application like an event or like a document saved there and if there is a delete button there, then the Spider will click on the delete button. And it’s possible it’s gonna delete it from there because that’s how the Spider works. So you definitely shouldn’t use Spider if it’s a productive system and also you need to think about this when you consider using the Spider.
It also has options which most of them are pretty straightforward so I don’t think it’s important to talk about it. I suggest you to check out it yourself. What is important is this form submission. So you define how Burp should react when it finds a form. So forms should be filled with some kind of data. So that’s what you can do here, either say you don’t want to submit forms or you can say that you always want to have like a pop up window and fill out the form yourself or you can give here some basic data what should be used to fill out forms. It depends on you. Of course, if you say Prompt for guidance, then it will be much slower because you always get this pop up window and it’s gonna also be more annoying I guess. And another important point is this Application Login. So alone, the Spider applications where you need to login because it wouldn’t be able to login without knowing the credentials. So it’s the same with the normal forms. You can say what to do in that case, either these credentials and then Burp is gonna try to use those credentials. It’s also possible that it wouldn’t work because how the login form is implemented but Burp will try. But it could also prompt you for guidance, but again, you’re gonna get this window that you need to fill out yourself. The rest is more or less about speed throttling so that’s not really important for us right now. And that’s more or less the Spider.
--Cut due to length limit --