Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

API based Crawling and Scanning getting struck at 98%

Hari | Last updated: Jun 06, 2020 04:20AM UTC

Hi, I have initiated the burp suite API in Headless mode "java -Xmx4G -Djava.awt.headless=true -jar burpsuite_pro_v2020.4.jar" and refereed the project file and initiated the scan, after 95% progress of Crawl and Scan, it is getting failed with message "scan 4 pause and retry count 6", it is happening for all the scans that i executed through the CLI. I tried seltzer extension for knowing the status of scan in the console. https://www.coalfire.com/The-Coalfire-Blog/May-2020/Headless,-Unattended-Scanning-in-Burp-Suite-Profes. [2020-06-06 03:26:57 IST][seltzer] scan 4 auditing 98% complete [2020-06-06 03:26:57 IST][seltzer] scan 4 Auditing. 16m 13s remaining [2020-06-06 03:26:57 IST][seltzer] scan 4 paused [2020-06-06 03:26:57 IST][seltzer] scan 4 Paused. [2020-06-06 03:26:57 IST][seltzer] scan 4 retry count 1 [2020-06-06 03:27:07 IST][seltzer] scan 4 paused [2020-06-06 03:27:07 IST][seltzer] scan 4 Paused. [2020-06-06 03:27:07 IST][seltzer] scan 4 retry count 2 [2020-06-06 03:27:17 IST][seltzer] scan 4 paused [2020-06-06 03:27:17 IST][seltzer] scan 4 Paused. [2020-06-06 03:27:17 IST][seltzer] scan 4 retry count 3 [2020-06-06 03:27:27 IST][seltzer] scan 4 paused [2020-06-06 03:27:27 IST][seltzer] scan 4 Paused. [2020-06-06 03:27:27 IST][seltzer] scan 4 retry count 4 [2020-06-06 03:27:37 IST][seltzer] scan 4 paused [2020-06-06 03:27:37 IST][seltzer] scan 4 Paused. [2020-06-06 03:27:37 IST][seltzer] scan 4 retry count 5 [2020-06-06 03:27:47 IST][seltzer] scan 4 paused [2020-06-06 03:27:47 IST][seltzer] scan 4 Paused. [2020-06-06 03:27:47 IST][seltzer] scan 4 retry count 6 [2020-06-06 03:27:57 IST][seltzer] scan 4 paused [2020-06-06 03:27:57 IST][seltzer] scan 4 Paused. [2020-06-06 03:27:57 IST][seltzer] scan 4 exceeded retry count aborting... [2020-06-06 03:28:07 IST][seltzer] scan 4 complete I am not sure what i did mistake that break the scan at 98% without any results.

Uthman, PortSwigger Agent | Last updated: Jun 08, 2020 09:02AM UTC

Hi, Do your scans complete as expected if you launch them normally from within the UI? (i.e. using the New scan option on the Dashboard) What error handling have you set up under Handling Application Errors During Audit in your scan configuration?

Hari | Last updated: Jun 11, 2020 04:52PM UTC

In fact, Target URL is expected to Authenticate server certificate before login, so after 10 consecutive tries, task in burp is getting failed.

Uthman, PortSwigger Agent | Last updated: Jun 11, 2020 05:57PM UTC

If the scan has progressed to 98%, then authentication is probably not the issue since it looks like that is working as expected. Have you tried increasing the number of audit items required to pause the task from the default 10 to much higher? If you launch the same scan through the UI (using the Scan wizard), does the issue still occur? Have you considered using the generic CI driver to launch your scans if you want to do everything via the CLI? - https://portswigger.net/burp/extender/ci-integration There is a README in the download folder for the generic driver.

Hari | Last updated: Jun 12, 2020 01:53AM UTC

Yes I have increased the consucutive audit tries to 15, but it is the same behaviour. Crawling is successful, but during audit I have noticed failures. As I said, target web service require certaificate to authenticate which is not happening. So after 10 tries scan is getting failed. Do you know how to pass the server certificate during the login. I don't want to intercept the browser traffic which is again manual work. CI link works for enterprise edition, we are using pro, do you have any other recommendations.

Uthman, PortSwigger Agent | Last updated: Jun 12, 2020 08:35AM UTC

CI integration is compatible with both products, although recommended for Enterprise. Can you complete the scan within the UI and enable Flow/Logger++ to see if there is a pattern in the failing requests?

Hari | Last updated: Jun 12, 2020 09:04AM UTC

In Logger++, during scanning, all /AccountLogin pages are failing, but immediately, i see 200 response. As i requested earlier, how can we impose burp scan use the Client certificate for authentication, same request works, when we intercept traffic through browser. Burp has to pickup the Certificate while loading the site then ask for credentials which we will configure through the task.

Hari | Last updated: Jun 12, 2020 09:10AM UTC

there is a small correction in previous response, In Logger++ i see /Account/Login page Query status is 500 for first time immediately 200 response

Uthman, PortSwigger Agent | Last updated: Jun 12, 2020 09:32AM UTC

Have you tried specifying the certificate under User options > TLS > Client TLS Certificates? If the same request works when you proxy traffic through the browser, do you have the certificate uploaded in your browser?

Hari | Last updated: Jun 12, 2020 09:55AM UTC

Yes, i have uploaded client certificate and user options. but no luck. In browser, Once we setup the proxy details and browse the target url, first it will prompt for certificate to pickup from the store, once we pickup the certificate next step is to authenticate the site. This i cannot achieve through the Burp task

Uthman, PortSwigger Agent | Last updated: Jun 12, 2020 09:58AM UTC

Can you send us further information via email, please? support@portswigger.net Ideally, how the authentication process works, type of authentication, details about the site/application, and any relevant screenshots.

Hari | Last updated: Jun 12, 2020 10:01AM UTC

We have uploaded the certificate through browser, it prompts initially when we hit the target and proceed with further authentications (Username/Password).

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.