Unlock enhanced API scanning with Burp Suite Enterprise Edition  –  Learn more

Detecting changes in application state

Dafydd Stuttard | 04 August 2018 at 15:34 UTC
MoBP Burp Suite

Modern web applications are heavily stateful, and it is common for the same application function to return different content and have different behavior on different occasions, as a result of actions that were performed by the user in the meantime. Burp's new crawler is able to detect changes in application state that result from actions that it has performed during the crawl.

In the example below, navigating the path BC causes the application to transition from state 1 to state 2. Link D goes to a logically different location in state 1 versus state 2. So the path AD goes to the empty shopping cart, while ABCD goes to the populated cart. Rather than just concluding that link D is non-deterministic, the new crawler is able to identify the state-changing path that link D depends on. This allows the crawler to reliably reach the populated cart location in future, to access the other functions that are available from there: