Burp Spider maps the applications using both passive and active methods.

When you start Burp Proxy, it runs by default in the passive spidering mode. In this mode, when the browser is configured to use Burp Proxy, it updates the site map with all of the contents requested through the proxy without sending any further requests. Passive spidering is considered safe, as you have direct control over what is crawled. This becomes important in critical applications that include administrative functionality, which you don't want to trigger.

For effective mapping, the passive spidering mode should be used along with the active mode. Initially, allow Burp Spider to map the application passively as you surf through it, and when you find a web page of interest that needs further mapping, you can trigger the active spidering mode. In the active mode, Burp Spider will recursively request web pages until it maps all of the URLs.

The following screenshot shows the output of passive spidering, as one clicks on the various links in the application. Make sure that you have Burp set as the proxy in the web browser and that interception is turned off before passively mapping the application:

When you want to spider a web page actively, right-click on the link in the Site map section and click on Spider this branch. As soon as you do this, the active spider mode kicks in. In the Spider section, you will see that requests have been made, and the Site map section will be populated with the new items, as shown in the following screenshot:

When the active spider is running, it will display the number of requests made and a few other details. In the Spider Scope section, you can create rules using a regular expression string to define the targets: