Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Carbonator : No HTTPS traffic

Ubaid | Last updated: Oct 18, 2022 12:21PM UTC

I have configured carbonator and I am running the following command java -jar -Xmx2g -Djava.awt.headless=true /home/webscanner/BurpSuitePro/burpsuite_pro.jar https example.com 443 / --user-config-file=Config/userNew.json --project-file=Projects/test31.burp --unpause-spider-and-scanner The scan runs without any issue, however the results which I get seems to be incorrect. Following are the reasons for this assumption: 1. When I open this project file on UI, I notice that https://example.com is automatically added to the "Exclude from Scope" under Target>Scope. 2. Under Target>Sitemap only http://example.com is listed. Following are the extensions added to the userNew.json: "extensions":[ { "errors":"console", "extension_file":"/home/webscanner/.BurpSuite/bapps/3123d5b5f25c4128894d97ea1acc4976/activeScan++.py", "extension_type":"python", "loaded":true, "name":"activeScan++", "output":"console" }, { "errors":"console", "extension_file":"/home/webscanner/.BurpSuite/bapps/9cff8c55432a45808432e26dbb2b41d8/build/libs/backslash-powered-scanner-all.jar", "extension_type":"java", "loaded":true, "name":"Backlash Powered Scanner", "output":"console" }, { "errors":"console", "extension_file":"/home/webscanner/.BurpSuite/bapps/f078b9254eab40dc8c562177de3d3b2d/aws.py", "extension_type":"python", "loaded":true, "name":"AWS Security Checks", "output":"console" }, { "errors":"console", "extension_file":"/home/webscanner/.BurpSuite/bapps/47027b96525d4353aea5844781894fb1/burp/target/attacksurfacedetector-release-1.13-jar-with-dependencies.jar", "extension_type":"java", "loaded":true, "name":"Attack Surface Detector", "output":"console" }, { "bapp_serial_version":7, "bapp_uuid":"c9fb79369b56407792a7104e3c4352fb", "errors":"console", "extension_file":"bapps/c9fb79369b56407792a7104e3c4352fb/target/burp-vulners-scanner-1.2.jar", "extension_type":"java", "loaded":true, "name":"Software Vulnerability Scanner", "output":"console" }, { "errors":"console", "extension_file":"/home/webscanner/burp_automation/carbonator//carbonator.py", "extension_type":"python", "loaded":true, "name":"Carbonator", "output":"console" } ], Am I missing something? Why https://example.com is not scanned?

Hannah, PortSwigger Agent | Last updated: Oct 20, 2022 09:36AM UTC

Hi I've tried testing this out and have received similar results to yours. In my case, the crawl performed by Carbonator was scanning the https site, and my site map was being populated. However, the only issues reported were from the http version of the site. Additionally, the installation was shut down before the scan could complete. You can raise this as an issue on the extension author's GitHub repository here: https://github.com/integrissecurity/carbonator/issues

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.