Burp Suite User Forum

Create new post

Headless-Burp Not Recognizing License

Logan | Last updated: Jun 26, 2023 10:26PM UTC

I'm currently trying to test out the capabilities of Headless-Burp with BurpSuite Pro, but when prompted for the license key, it responds with "The supplied license key was not recognized. Please try re-entering your license key." I currently only have a trial license and the desktop hasn't had any issues with it. The exact command I am using is "java -Xmx1G -Djava.awt.headless=true -classpath BurpSuitePro/burpsuite_pro.jar burp.StartBurp --unpause-spider-and-scanner --project-file=project.burp -c config.xml" and just in case there was an issue with copying and pasting the license, I created a bash script to automatically enter it when prompted, but this has the same issue as when I paste it in manually. Is there a fix for this?

Ben, PortSwigger Agent | Last updated: Jun 27, 2023 08:14AM UTC

Hi Logan, It is important to note that the Headless-Burp extension is not written by Portswigger and is, instead, a third party extension. Any issues with this particular extension should be raised on the author's GitHub repository, here - https://github.com/NetsOSS/headless-burp/issues?q=is%3Aopen+is%3Aissue. Having said the above, are you able to confirm which version of Burp and which version of Java you are currently trying to use? Can you also confirm whether you are using the specific standalone Jar version of Burp that is available from our release page?

Logan | Last updated: Jun 27, 2023 03:14PM UTC

Hello Ben, I am using OpenJDK Version 17.0.7 JRE and the standalone BurpSuite Pro version 2023.5.4.

Ben, PortSwigger Agent | Last updated: Jun 28, 2023 09:35AM UTC

Hi Logan, As this is written by a third party (and does not appear to have been updated in a number of years), I am not entirely sure of the requirements with regards to what version of Java needs to be used (it could well be that the later version of Java required to run the later version of Burp is not compatible with running this particular extension). I would still suggest raising an issue with the author's on their GitHub page in order to double check this with them.

Logan | Last updated: Jun 28, 2023 04:15PM UTC

That's unfortunate. I will check with them on the GitHub, but my company has approved the purchase of multiple licenses if the headless mode works. Please let me know if you know of any other methods or trouble shooting techniques.

Ben, PortSwigger Agent | Last updated: Jun 28, 2023 04:49PM UTC

Hi Logan, Can you provide some more details around your use case and what you are trying to achieve by trying to use Burp Professional headlessly? Burp Professional is really designed to be used as a desktop application, with the UI, in order to perform manual testing and some ad-hoc scanning so it would be useful to know how you were intending to use Burp Professional.

Logan | Last updated: Jun 29, 2023 03:32PM UTC

We have a requirement to run BurpSuite from an existing environment that does not allow for a GUI.

Ben, PortSwigger Agent | Last updated: Jun 30, 2023 07:31AM UTC

Hi Logan, I assume from that, that you are only interested in using the scanning capabilities of Burp Professional rather than any of the other tools (which are not readily available without the UI)?

Logan | Last updated: Jun 30, 2023 02:03PM UTC

That is correct. We only need to run scans, and we are only able to use Burp Professional.

Ben, PortSwigger Agent | Last updated: Jul 03, 2023 02:38PM UTC

Hi Logan, Thank you for the confirmation. It is unfortunate that you can only run Burp Professional as it sounds like Burp Enterprise would have been a better choice for your organization. As noted, Burp Professional has really been designed to be used with the GUI and is also not really designed for repeat, scheduled scanning.

Logan | Last updated: Jul 03, 2023 03:40PM UTC

Is there really nothing that you can do? In the past couple days I've experimented with other Java versions, including just using the pre-packaged JRE that comes with BurpSuite. Would it be possible for you to attempt running BurpSuite in headless mode in your environment to see if you have a similar issue?

Ben, PortSwigger Agent | Last updated: Jul 04, 2023 12:39PM UTC

Hi Logan, I experience the same issue as you. I would presume the issue lies in the fact that the later versions of Burp require, at a minimum, Java 17 (the later, installable version comes packaged with Java 19) whereas the extension itself is likely to require an earlier version (as the extension has not been updated in several years I would assume later Java versions are simply not compatible). In addition to this (and probably more importantly), if you take a look at some of the issues that have been reported on the author's GitHub - the author confirms that the extension has not been tested with the Burp version that was available in October 2019 so is unlikely to work with current Burp (there were some significant changes made between the older 1.7.x versions and the new 2.x versions of Burp). From the discussions within the 'Issue' section of the GitHub repository, I would imagine that even if you were able to get this running that the extension would not function in the manner that you are expecting. With regards to what we can do - as noted, we do not write these extensions so the Headless Burp extension is not our software. We have had some internal discussions regarding removing older extensions that have not been updated but have come to no firm conclusions (some people still use older versions of Burp so in some cases these extensions are still valid). Realistically, I cannot think of a way to cover what you wish to achieve (you could, of course, take the code from this extension and adapt it yourself but that is not going to be an easy or quick solution). There is a native headless mode that can be used from the command line (you could then initiate scans via the REST API) but there is no native functionality to generate HTML/XML vulnerability reports as a result of your scans other than using the UI (you can obtain issues in JSON format via the REST API but this is obviously not quite the same as having a fully fledged HTML report). I think it is fair to say that the kind of functionality that you require is really what we would consider legacy and was in place before our Burp Enterprise product was created and available to users.

Logan | Last updated: Jul 06, 2023 03:03PM UTC

Hello Ben, Thank you for the informative response! It was my understanding that the REST API was only available on Burp Enterprise. Would you be able to give me some basic information on running a scan through the REST API? I understand that I will not be able to obtain the information through an HTML/XML report, but would all of the information in the standard HTML/XML report be available in the non-graphical JSON report?

Ben, PortSwigger Agent | Last updated: Jul 07, 2023 11:16AM UTC

Hi Logan, The REST API is shared between both Burp Professional and Burp Enterprise (it is really considered legacy now because Enterprise now has its own GraphQL API that has far more functionality available to it but it is still available in both products). It is designed to be self documenting from the interactive service URL so we do not have any extensive documentation on it but, if you access the service URL you will see the following endpoints available to you (you can configure this within the Suite -> REST API section of Burp): https://snipboard.io/eYIVLr.jpg I have included an example of running a scan via the REST API using the interactive service URL below (effectively, this is just using a curl command to initiate the scan so can be run outside of the interactive service URL): https://snipboard.io/kcBGSa.jpg Details for an issue are still returned in the JSON format (so what the issue is, description, URL, request and response etc).

Logan | Last updated: Jul 07, 2023 04:04PM UTC

Hello Ben, Thank you! This looks like it will work for us. Is there a way for me to reach you more effectively for any future questions?

Logan | Last updated: Jul 07, 2023 04:13PM UTC

(Also, would you be willing to provide sample configs for name, scope, application_logins, scan_configurations, resource_pool, scan_callback, and protocol_option?)

Ben, PortSwigger Agent | Last updated: Jul 11, 2023 07:22AM UTC

Hi Logan, Emailing us at support@portswigger.net is probably a better route than using the forum. A lot of those additional settings are optional and Burp will use defaults if nothing else is provided (for example if no scan configuration is specified Burp will use a balanced configuration) so what settings you need to use is going to be fairly dependent upon your approach to scanning. Thinking about this more deeply, the one issue you are likely to hit is configuring your scans to authenticate against your target sites (if that is indeed applicable to the sites that you are intending to test). The simple approach of supplying a username/password combination will work and is fairly simple to setup but the more versatile recorded login approach is reliant on recording a sequence within a browser, using Burp's Navigation Recorder in the embedded browser, and then supplying this to your scan. Without having a browser available to you then you may well be limited in terms of the authentication that you can perform (the login credential method will only work in certain circumstances).

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.