LabEx
Log InJoin Free

Compare Two Site Maps in Burp Suite

Beginner
Practice Now

Introduction

In this lab, you will learn how to use one of Burp Suite's powerful features: "Compare site maps". This feature is essential for web application security testing, particularly for identifying authorization vulnerabilities. By comparing the site structure and content accessible to users with different privilege levels, you can quickly spot endpoints or data that are improperly exposed.

You will perform the following actions:

  1. Start a simple, local web application with two user roles: a standard user and an administrator.
  2. Use Burp Suite's built-in browser to explore the application as a low-privilege user.
  3. Initiate the site map comparison process, saving the low-privilege user's view as the first map.
  4. Log in as a high-privilege user and explore the application again to populate the site map with new administrative functions.
  5. Complete the comparison and analyze the results to identify content and endpoints accessible only to the administrator.

Browse an Application as a Low-Privilege User

In this step, you will start Burp Suite, configure its browser, and browse the target application as a standard, low-privilege user. This will populate Burp's site map with all the endpoints and resources accessible to this user.

First, open Burp Suite. You can find it in the application menu, usually under Applications -> Other -> Burp Suite Community Edition. When prompted, select a temporary project and click Next, then Start Burp.

Once Burp Suite is running, you need to use its embedded browser to ensure all traffic is proxied correctly.

  1. Go to the Proxy tab, then the Intercept sub-tab.
  2. Click the Open Browser button. A new Chromium browser window will open.

Now, use this browser to interact with the web application.

  1. In the address bar of the new browser, navigate to http://127.0.0.1:5000.
  2. You will see a login page. Enter user for the username and password for the password.
  3. Click the Login button.
  4. You will be redirected to the user dashboard. Click around if there are any links, but for this simple app, just viewing the dashboard is enough.

Now, go back to the main Burp Suite window and navigate to the Target -> Site map tab. You will see the application's structure being mapped out based on your browsing.

In Target > Site map, Select the Host and 'Compare site maps'

In this step, you will initiate the site map comparison process. You have already populated the site map with the perspective of a low-privilege user. Now, you will tell Burp Suite that you want to use this current map as the first point of comparison.

  1. In the Burp Suite window, make sure you are on the Target -> Site map tab.
  2. In the left-hand pane, you will see a tree view of the sites you have visited. Find and select the host for our application, which is http://127.0.0.1:5000.
  3. Right-click on the host http://127.0.0.1:5000. This will open a context menu with many options.
  4. From the context menu, navigate to Engagement tools and then click on Compare site maps.

This action will open the "Compare site maps" wizard, which will guide you through the setup of the comparison.

(Image description: A screenshot showing the right-click context menu in Burp Suite's site map, with the cursor highlighting the 'Compare site maps' option under 'Engagement tools'.)

In the Wizard, Select 'Use current site map' for Map 1

In this step, you will configure the first of the two site maps for comparison. The wizard you opened in the previous step allows you to define the source for both maps.

The "Compare site maps" wizard is now open. It has two main sections, one for "Site map 1" and one for "Site map 2". You will configure the first map now and the second map later.

  1. In the "Site map 1" configuration area, you will see several options for where to load the map from.
  2. Select the radio button labeled Use current site map. This tells Burp to take a snapshot of the site map as it exists right now (reflecting the low-privilege user's session) and use it as the baseline for the comparison.
  3. Do not click OK yet. The wizard needs to be configured for both maps. For now, you have set the first map. You will leave this wizard open while you perform the next actions.

You have now successfully defined the first site map for comparison. The wizard will wait for you to define the second map.

Log in as a High-Privilege User and Re-request the Site Map

In this step, you will switch to a high-privilege user account and browse the application again. This will add new, admin-only endpoints to Burp's site map, which is exactly what we want to detect in the comparison.

  1. Return to the Burp-embedded Chromium browser window.
  2. Navigate back to the login page at http://127.0.0.1:5000. This effectively logs you out of the 'user' account.
  3. On the login page, enter admin for the username and adminpassword for the password.
  4. Click the Login button.
  5. You will be redirected to the dashboard, which now shows a welcome message for the 'admin' user and includes a new link: Go to Admin Panel.
  6. Click the Go to Admin Panel link. This will take you to the /admin page, which was not accessible to the standard user.

By performing these actions, you have caused Burp Suite to record requests to new endpoints (like /admin) and see different responses for existing endpoints (like /dashboard). The live site map in Burp is now updated with this new information.

Select 'Use current site map' for Map 2 and View the Differences

In this final step, you will complete the comparison configuration and analyze the results to find the differences between the low-privilege and high-privilege sessions.

  1. Return to the Burp Suite window, where the "Compare site maps" wizard should still be open.
  2. Now focus on the "Site map 2" configuration area.
  3. Just as you did for the first map, select the radio button labeled Use current site map. This time, the "current" map contains all the requests from both the low-privilege and high-privilege sessions.
  4. Click the OK button to run the comparison.

A new "Site map comparison" window will appear, displaying the results. This window has three main panels showing:

  • Items only in map 1: Endpoints that existed in the first session but not the second.
  • Items only in map 2: Endpoints that were discovered only in the second session. This is where you'll find authorization issues.
  • Items with different responses: Endpoints that both users could access, but which returned different content.

Look at the "Items only in map 2" list. You should see the /admin endpoint. This immediately tells you that the /admin page is only accessible or discoverable by the high-privilege user.

Click on the /dashboard entry in the "Items with different responses" list. At the bottom, you can see the request and response for each map. Use the Diff button to see a side-by-side comparison, which will highlight the extra "Go to Admin Panel" link available to the admin.

Summary

In this lab, you have successfully used Burp Suite's "Compare site maps" feature to analyze an application's access controls. You learned how to systematically capture the state of an application from the perspective of two different users and then compare them to automatically identify differences.

Specifically, you discovered an administrative endpoint (/admin) that was not visible to a standard user, a classic example of an authorization vulnerability that this technique helps uncover. This method is a fundamental part of a thorough web application security assessment, allowing you to efficiently map out the attack surface and find potential security flaws.