Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Automating Burp Pro - docker issues (Activation & REST API availability)

George | Last updated: Sep 24, 2020 01:52PM UTC

Hi, I'm attempting to automate Burp licensing and run Burp with the REST API in headless mode via a Docker container. This is how I'm invoking Burp: "java -Djava.awt.headless=true -jar scanners/burp/burpsuite_pro.jar --config-file=Project-options.json --config-file=User-options.json". Both files exported from host machine. I always seem to get prompted for activation, I've been using the following script for this: https://gist.github.com/pajswigger/f0caac124a02d94aa1ebbc46921d84ea. It has now started giving me the error: No more activations allowed for this license. I've also noticed that the REST API does not appear to come online within the container, even after successful manual activation? Confirmed this by dropping into Docker shell and curl http://127.0.0.1:1337. But if I run the same command on my host machine, it all starts with no problem. I've since found this dockerized Burp example https://github.com/security-dockerfiles/burp I assume the idea is to create a volume for ".java" (which looks to store the licensing information), and let the container write relevant files back to the host? Though copying my current host's .java folder onto the container doesn't seem to work, still prompts me for a key (even though /root/.java/.userPrefs/burp/prefs.xml exists and contains a valid license key from my host PC), so I'm not really sure. 1/ How can I remove the "No more activations allowed for this license." error? 2/ Which method is the intended way to license an automated Burp, and get Burp REST API up within the container?

George | Last updated: Sep 24, 2020 03:25PM UTC

Update - I think the REST API not starting on launch may be due to the "do you want to delete temp project files" prompt, which is sometimes given - though can't confirm in the Docker container as I can no longer activate the license. Is it possible to disable that prompt, and always just "delete temp files"?

Liam, PortSwigger Agent | Last updated: Sep 25, 2020 09:15AM UTC

Could we ask what you mean when you say you are trying to automate Burp Pro? What functionality are you hoping to automate?

George | Last updated: Sep 25, 2020 09:28AM UTC

Hi Liam, So I am trying to make the license permanent across all Burp Docker containers so that I can then automate active scanning of domains via the new-ish REST API's /scan endpoint. I'm also hoping to automate extensions being part of those scans, and flag custom issues - I am able to get these loaded into Burp via the --config-file, though I haven't looked into possibility of getting them automatically started upon POST /scan (assume some may just start, but other extensions may need tweaking?).

Liam, PortSwigger Agent | Last updated: Sep 25, 2020 11:43AM UTC

Burp Suite Enterprise is intended for this use case. - https://portswigger.net/burp/enterprise We don’t currently support dockerised agents, but this is part of our near term roadmap. We also have plans to add support for Burp Extensions. Please let us know if you need any further assistance.

George | Last updated: Sep 25, 2020 02:28PM UTC

Hi, It seems this has been done in some form before - see https://forum.portswigger.net/thread/automate-burp-license-activation-d7489f56 The agent suggested using the script to license Burp in headless mode within the image, then re-use the same activation repeatedly. Though it's not possible for me to do this since I get "no more activation's allowed for this license". Would it be possible to remove this block so that I can attempt to activate Burp within the image? It is a multi user license - can provide the details in PM or email. Thanks

Liam, PortSwigger Agent | Last updated: Sep 28, 2020 12:28PM UTC

If you can provide the details in a PM, we can provide an additional activation to allow you to use Burp (support@portswigger.net). We don't support the method described in the thread. We've created Burp Enterprise for this use case.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.