I am sure, most of you are familiar with Burp Suite. It has a lot of wonderful modules for pentesters but some of them can be dangerous such as Spider.

During application pentest the most important step is increasing attack surface and understanding the application. Web spidering is a application mapping technique and can be done both manually or automaticly. Various tools can perform automated spidering of websites.

Burp Suite has two different options for spidering: active and passive. If you choose to work with active mode you should be aware of its danger. Active spidering visits all pages you have visited during application tests.

If you test a vulnerable application and this vulnerable application allows you to;

1-Unauthorized access to its functions

2-Trigger functions with HTTP GET Method

You can even delete, update some critical data as much as they are supported by application and triggers with GET Method.

For example when you request following link you may delete id=1 record.

<vulnerableHost>function.php?id=1&action=delete

POST Method can be dangerous too but while spidering it will pop-up form parameters so it is much more safe compared to GET Method.

Spider very nice module if you know application behavior. So it is recommended not to use active spidering at beginning of testing but when it is mandatory to use then it would be good idead to use logging extension such logger++.