- Ensure Burp and OWASP BWA VM are running, and Burp is configured in the Firefox browser used to view the OWASP BWA applications.
- From the OWASP BWA landing page, click the link to the OWASP Mutillidae II application:
- Go to the Burp Spider tab, then go to the Options sub-tab, scroll down to the Application Login section. Select the Automatically submit these credentials radio button. Type into the username textbox the word admin; type into the password textbox the word admin:
- Return to Target | Site map and ensure the mutillidae folder is added to scope by right-clicking the mutillidae folder and selecting Add to scope:
- Optionally, you can clean up the Site map to only show in-scope items by clicking Filter: Hiding out of scope and not found items; hiding CSS, image and general binary content; hiding 4xx responses; hiding empty folders:
- After clicking Filter: …., You will see a drop-down menu appear. In this drop-down menu, check the Show only in-scope items box. Now, click anywhere in Burp outside of the drop-down menu to have the filter disappear again:
- You should now have a clean Site map. Right-click the mutillidae folder and select Spider this branch.
If prompted to allow out-of-scope items, click Yes.
- You should immediately see the Spider tab turn orange:
- Go to the Spider | Control tab to see the number of requests, bytes transferred, and forms in queue:
Let Spider finish running.
- Notice that Spider logged into the application using the credentials you provided in the Options tab. On Target | Site map, look for the /mutillidae/index.php/ folder structure:
- Search for an envelope icon that contains password=admin&login-php-submit-button=Login&username=admin:
This evidences the information Spider used the information you provided in the Spider | Options | Application Login section.