Professional Community

Scoping the effort to audit a website

Before you start testing, it's useful to estimate how much time and effort is required to audit the target website.

These are some of the factors that have an effect on the effort required:

The number of dynamic URLs.
How many parameters each URL contains.
The nature and complexity of the website functionality.

In most cases, dynamic URLs take more effort to audit than static URLs. The effort increases if the website contains more parameters.

This information can also help you to identify the best places to start looking for vulnerabilities.

You can use a number of tools in Burp to help you to scope the effort required to audit a website:

Site map and Inspector
Professional Live audit
Target analyzer

Before you start

Map the target site. For more information, see Mapping the target site.

Steps

Although you need to use your own judgment to determine the scope of the audit, Burp has several features that can help you to estimate the effort required for a specific web application. You can follow along with the process below using ginandjuice.shop, our deliberately vulnerable demonstration site.

Using the Target analyzer

Professional The Target analyzer can give you an idea of the size and complexity of your target:

Go to Target > Site map and select one or more hosts or branches.
Right-click and select Engagement tools > Analyze target. The Target analyzer window opens.
Select the Dynamic URLs or Static URLs tab to see more information about the target.
If you select a parameter in the Parameters tab, Burp lists all the URLs that contain the parameter. Select a URL to see the full request and response.

Note

The Target analyzer only analyzes content that you have mapped.

URLs are classified as static if they don't accept any parameters in the URL or request body. However, responses from these URLs may still be dynamically generated by the application.

Using the site map

You can use the site map to assess the contents of the website:

To identify dynamic URLs, go to Target > Site map and look for the parameter icon in the URL view.
Professional To identify URLs with issues, look for the colored circles next to the tree view icons.
Select items in the site map to see the request and response.

Using Live audit

Professional You can use the Live audit function to help you to scope your target:

In the Dashboard tab, select the live audit from the Tasks list.
Go to the Issues tab and look for information that suggests that your audit will require more effort. For example, the live audit may flag the presence of a file upload function, which will take more effort to test due to the hidden complexity.