Manual Walkthroughs

If the app doesn't have a sitemap, and you don't want to use a scanner, you can still create a layout of the site's structure by navigating through it, without having to take notes or screenshots. Burp allows you to link your browser to the application's proxy, where it will then keep a record of all the pages you visit as you step through the site. As you map the site's attack surface, you can add or remove pages from the scope to ensure you control what gets investigated with automated workflows.

Doing this manual-with-an-assist method can actually be preferable to using an automated scanner. Besides being less noisy and less damaging to target servers, the manual method lets you tightly control what gets considered in-scope and investigated.

First, connect your browser to the Burp proxy.

Portswigger provides support articles to help you. If you're using Chrome, you can follow along with me here. Even though we're using Chrome, we're going to use the Burp support article for Safari because the setting in question is in your Mac settings: https://support.portswigger.net/customer/portal/articles/1783070-Installing_Configuring%20your%20Browser%20-%20Safari.html.

Once your browser is connected and on (and you've turned the Intercept function off), go to http://burp/.

If you do this through your Burp proxy, you'll be redirected to a page where you can download the Burp certificate. We'll need the certificate to remove any security warnings and allow our browser to install static assets:

After you download the certificate, you just need to go to your Keychains settings, File | Import Items, and upload your Burp certificate(a  .der file). Then you can double-click it to open another window where you can select Always Trust This Certificate:

After browsing around a site, you'll start to see it populating information in Burp. Under the Target | Site map tabs, you can see URLs you've hit as you browse through Burp:

Logging into every form, clicking on every tab, following every button – eventually you'll build up a good enough picture of the application to inform the rest of your research. And because you're building this picture within Burp, you can add or remove URLs from scope, and send the information you're gathering for follow-up investigations in other Burp tools.