Along with advice on how to use Burp, you should also not forget to customise the following:
Form Submission:
To set suitable names and values for forms submitted by Burp, as I presume you don't want to send 'Weiner' :-)
Within the Burp window - navigate to the 'Spider' tab and then the 'options' menu. From here you should update the standard values within the forms section:
Click on each value and select 'edit', change the value and then click on the 'update' field before selecting the next value:
Payload:
You can also edit the default payloads that are used within Burp. This can be done by unpacking the .jar file. This example uses 7Zip to unpack the latest Burp file.
Firstly right click on the .jar file and select open with 7Zip. This will show:
Then open up burp\PayloadStrings\:
From this folder, select fuzzing - full.pay. Within this file you will see options that can be configured to your specific needs (highlighted in the following image):
Spider:
For manual spidering then Burps own help page has the following advice:
passively spider as you browse - If checked, Burp Spider will process
all HTTP requests made through Burp
Proxy, to identify links and forms on
web pages visited. Using this option
can enable Burp Spider to build up a
detailed picture of an application's
contents even when you have only
browsed a subset of that content with
your browser, because all content that
is linked from visited content is
automatically added to the Suite site
map.
This is done by visiting the 'Spider' tab and then selecting the 'options' tab:
This way, you control the generation of the site map without flooding the host with traffic.
Hope this helps.
