Articles

Enumerate Subdomains During Recon with Burp Suite (2026)

April 16, 2026 4 min read

Burp Suite can discover subdomains you didn’t even know existed, and it does it by piggybacking on regular browsing.

Let’s say you’re poking around example.com and Burp’s proxy is intercepting your traffic. As you browse, you might hit a link to app.example.com. Burp sees this, and if app.example.com isn’t already in its known scope, it’ll add it. This seems simple, but it’s the foundation of how Burp builds its site map.

Here’s a live example. Imagine you’ve just started a scan or are just browsing example.com with Burp active.

GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 1234
Connection: keep-alive

<html><body><a href="https://internal.example.com/login">Login</a></body></html>

Burp sees the Host: example.com header and the Content-Length of the response. Crucially, it parses the HTML and finds the href="https://internal.example.com/login". If internal.example.com isn’t in your project’s scope, Burp will automatically add it to its target scope and begin to map it out. This process is automatic and happens as you navigate the site.

The core problem Burp Suite solves here is the inherent difficulty in manually tracking every possible subdomain an organization might be using. DNS records can be scattered, and new subdomains are often spun up for new applications or services without explicit documentation. Burp’s proxy and crawler, by observing traffic and following links, act as a passive discovery engine. It doesn’t need to directly query DNS servers for every possible permutation; it learns what exists by seeing it in action.

The real power comes from combining Burp’s passive discovery with its active crawling and scanning capabilities.

  1. Proxying Traffic: As you manually browse the target application, Burp intercepts all HTTP/S requests and responses. If a response contains a link to a new subdomain, Burp adds it to its "Target" site map. This is the most fundamental way Burp discovers subdomains – by observing live traffic.

  2. Crawling: After passive discovery, Burp’s crawler can be configured to actively explore the discovered subdomains. It follows links, submits forms, and probes for more content. This recursive exploration often uncovers even more subdomains that might not be directly linked from the initial entry points but are part of the same application ecosystem.

  3. Burp Extender (e.g., Subdomain Enumeration Tools): For more aggressive subdomain discovery, you can leverage extensions. Tools like "Subfinder" (which can be integrated via Param Miner or similar) or dedicated subdomain enumeration extensions can perform active DNS lookups, check common subdomain lists, and even use techniques like certificate transparency logs. These extensions augment Burp’s built-in passive methods with more direct, albeit potentially noisier, discovery techniques.

Configuration Levers:

  • Target Scope: In the "Target" tab, you can define your scope. Any host discovered that falls within this scope (or is explicitly added to it) will be actively managed by Burp. You can right-click on a discovered host and "Add to scope."
  • Spider/Crawler Settings: In the Spider configuration (accessible via the "Spider" tab or by right-clicking a target and selecting "Spider this host"), you can control how deep and wide Burp crawls. Options like "Maximum depth" and "Maximum number of requests" dictate the extent of exploration. Crucially, you can configure the spider to "Include in scope" or "Exclude from scope" specific hosts, allowing you to focus its efforts.
  • Extensions: If using an extension, its specific configuration will be accessible through the "Extender" tab. This might involve API keys for external services, lists of resolvers, or custom dictionaries.

The one thing most people don’t realize is how much subdomain discovery Burp does without you doing anything special. Simply browsing through a web application with the Burp proxy enabled is enough for it to start mapping out the entire domain structure, including subdomains that might be hidden behind internal links or not even directly referenced in the HTML but discoverable through JavaScript or API calls. Burp’s ability to parse responses and identify new hostnames is the silent hero here.

Once you have a comprehensive list of subdomains, the next logical step is to understand their purpose and identify potential vulnerabilities within them, often leading to deep application-layer scanning.

Want structured learning?

Take the full Burpsuite course →