Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp Headless Passive Scanning

Matthew | Last updated: Jun 18, 2019 09:59PM UTC

Hi, new to Burp. I'm looking for a way to passively scan HTTP responses from a server to see if there are any vulnerabilities while burp is running headless, but not actively scan. I've found a few "headless" extensions, like https://github.com/NetsOSS/headless-burp/, but it seems that it is centered around active scanning (have to specify target scope/site and let it run). I'm looking to throw an instance of burp in a container that passively listens to the HTTP traffic going in/out of a server to see if any vulnerabilities can be detected. I understand that this is a bit of a niche case, but does anyone have any ideas? Thanks, Matthew

PortSwigger Agent | Last updated: Jun 19, 2019 09:00AM UTC

Thanks for your message. This setup is possible, although it's a little tricky to set up. I suggest that you first run Burp interactively to run the passive scan checks you want. Use a project file. You don't need the Burp Headless extension as you're only doing a passive scan. The run Burp headless, using the project file from before. And setting --unpause-spider-and-scanner You can then fire the traffic through Burp and it will detect vulnerabilities. To view the vulnerability you will need to shutdown headless Burp and open it interactively. Not sure how much benefit the headless Burp adds here. Perhaps you've be better doing the whole thing in interactive Burp.

Burp User | Last updated: Jun 19, 2019 03:46PM UTC

Hey Paul, Thanks for the answer! I should've elaborated further. The end goal is to passively scan HTTP traffic going into many microservices for vulnerabilities in a company's distributed system, so I'm not sure running burp in interactive mode would work (unless there's a way to set up interactive mode without automatically via some Dockerfile shenanagins). You mention that viewing the vulnerabilities would require shutting down headless burp and looking at them interactively. I was hoping there might've been some event-based mechanism during a passive scan when a vulnerability was detected, so then I could fire off a slack-message, output to a logging service, etc... I was looking at the Enterprise version for doing something like this, as well, if that gives you an idea of the scope (but not sure if it would allow this kind of functionality).

PortSwigger Agent | Last updated: Jun 21, 2019 09:05AM UTC

If you're happy to do some coding, the extension API provides the IScannerListener interface that is called when a new issue is discovered. Enterprise doesn't currently support passive scanning, although this may be added in future.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.