The Sitemap presents captured traffic as a navigable tree of hosts and paths. Where the Logger is a chronological log of every flow, the Sitemap is a structural index — one node per unique URL path, with all observed methods, status codes, and parameters aggregated underneath.
This is the view to open when you ask “what’s the actual attack surface here?” rather than “what just happened?”
🔗Tree Structure
example.com (host)
├── / [GET 200] [POST 405]
├── /api/v1/users
│ ├── / [GET 200] [POST 201]
│ └── /{id} [GET 200] [PATCH 200] [DELETE 204]
└── /admin
└── /dashboard [GET 200, requires-auth]Path parameters (/users/42, /users/43) are normalized into route templates (/users/{id}) so a busy API doesn’t explode the tree.
🔗Host List
The left column is the host index. Each host shows:
- Total flows captured
- Unique paths
- Method coverage (which verbs have been seen)
- In-scope marker
- Last-seen timestamp
Click a host to expand its path tree on the right.
🔗Path Detail
Click any path node to open the detail slide-over:
- Methods observed — list of HTTP methods + per-method status code distribution
- Parameters — every query/body/header param seen on this route, with sample values and detected types (numeric ID, UUID, email, JWT, etc.)
- Reflections — params that reflect into the response (XSS candidates surface here)
- Auth signals — does this endpoint require auth? Detected from 401/403 responses on unauthenticated requests
- Latency stats — min / median / p95 / max
- Recent flows — last 20 flow IDs touching this path; click to open in Logger
- Findings — any vulnerabilities tied to this path
🔗Filters
Toolbar filters narrow the visible tree:
- In-scope only — hide out-of-scope hosts
- Search — substring match on host or path
- Method — show only paths with this method observed
- Status — show only paths returning these status codes
- Has params — only paths with at least one parameter
- Has findings — only paths with associated vulnerabilities
- Tags — flow-level tag filter
🔗Discovery Workflow
The Sitemap is the source-of-truth for what you’ve actually seen. Common workflow:
- Drive the target through the proxy via browser + crawler.
- Open Sitemap, switch to In-scope only.
- Scan the path list for gaps — endpoints with auth required vs not, admin-only paths, JSON APIs without referer/origin checks.
- Right-click a path → Send all flows to Scanner to run the active scanner against every flow on that route.
🔗Export
Export the current sitemap via the export action / button:
- JSON (default) — full structured sitemap
- CSV — flat tabular for spreadsheet analysis
Other formats (OpenAPI, plain URL list) are not currently shipped — convert externally from the JSON if you need them.
🔗Right-Click Actions
On a host node:
- Send all flows to Scanner
- Send all flows to Crawler (recursive expansion)
- Add to Scope (in or out)
- Export host subtree
- Delete all flows (purges captured data for this host)
On a path node:
- Send flows to Scanner / Repeater (one tab per flow) / Comparer
- Run Param Discover on this path
- Run FFuzzer with FUZZ in the path
- Open in Intelligence view (cross-flow analysis)
On a flow row (right-click):
- Send to Repeater / Intruder / Comparer / Sequencer
- Open in Scanner
- Copy URL / Copy as cURL / Copy request
- Add host to scope / Exclude host from scope
- Filter HTTP History by host
- Open in Authorize (BAC) (Pro) — sets the Authorize view’s host filter to this flow’s host and switches views. Matrix, findings, and corpus panels all scope to the host on arrival. Invisible to Community tier.
- Open in Workflows
- Highlight flow (color submenu)
- Delete flow
🔗MCP
The site_map MCP tool exposes the same data programmatically:
hosts— list all hosts with statshosts_simple— host names onlyhost— details for one hostpaths— list paths for a hostflows— list flows for a host/pathpath_detail— detailed info for one host+pathsearch— substring search across URLsstats— aggregated statisticstree— hierarchical tree (the same data the UI renders)export— export the sitemap (JSON or CSV)