Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

How do I run and existing project with saved target on command line

Kelly | Last updated: Jun 01, 2018 05:54PM UTC

I captured traffic from the Buite Suite. Then I go from Target > Site Map > I righted click and did a active scan on the host I captured. I export the result manually and saved my project to my_captured_project.burp My question is - is there any way I can auto start burp in command prompt, run the scan against my captured target and output in xml report with an extension. so far I am able to run command prompt "C:\Program Files\Java\jdk1.7.0_79\bin\java.exe" -Xmx2G -Djava.awt.headless=true -jar "C:\BurpSuite\burpsuite_pro_v1.7.33.jar" --project-file="C:\my_captured_project.burp" --report "C:\Temp\my_report.xml" It looks like it just exporting the scan results from previous scan I run manually but not doing any new scan.

PortSwigger Agent | Last updated: Jun 04, 2018 07:22AM UTC

Hi Kelly, Burps automation support is quite limited at present. Most people use the Carbonator extension, which does Spider, Scan and generates a report. If you want to do something a bit different, there is also the "Headless Burp" extension (not in the BApp store at present) and you could code your own extension. We are looking at improving the automation support.

Burp User | Last updated: Jun 06, 2018 06:12PM UTC

Thanks for your reply. If I use Carbonator extension, is there any way I can pass my options from Proxy > options there? like save separately from a project file with .burp extension ? I want my proxy service started on a specific host and port number, not 127.0.0.21:8080 and report in xml instead of html. Is that possible? Proxy: Proxy service started on 127.0.0.1:8080 Proxy: Proxy service stopped on 127.0.0.1:8080 Deleting temporary files - please wait ... Suite: Failed to delete temp directory: C:\Users\...\burp8967227137524920870.tmp Failed to delete temp directory: C:\Users\...\burp8967227137524920870.tmp It looks like the scan stop because of failed to delete some temp files as well. Is there anyway to bypass it?

PortSwigger Agent | Last updated: Jun 07, 2018 06:44AM UTC

Hi Kelly, Yes, you can. Proxy options are part of Project options. if you save your options (using Burp menu > Project options > Save project options) you can pass this file on the command like using --config-file=xxx To get the output in XML format you need to edit the source code to Carbonator. It's a pretty quick change; ask if you need assistance. Failing to delete the temp files shouldn't stop the scan. You can check this by running Burp and Carbonator in GUI mode (i.e. NOT headless). Please let us know if you need any further assistance.

Burp User | Last updated: Jun 08, 2018 04:52PM UTC

Hi I run that in GUI mode and found that the spider actually did not generated a lot of requests compare to the sitemap I saved previously in burp project. If I want to create my extension and run against the sitemap I saved with my project. Is there anyway to do so? Like exporting all the the requests and call doActiveScan one by one? including params, cookies and MIME type, etc.

PortSwigger Agent | Last updated: Jun 11, 2018 07:47AM UTC

Hi Kelly, There can be a couple of causes for that: Spider may not be logging in, also Spider doesn't support JavaScript, which limits its effectiveness on some sites. An extension can fetch the site map contents, then call doActiveScan() on each request. You probably want to include some simple logic to avoid scanning duplicates. Your extension does not need to identify parameters, cookies, etc. This is some by Scanner. Please let us know if you need any further assistance.

Burp User | Last updated: Jun 15, 2018 05:50PM UTC

I tried to pass my include my login credential with the --config-file="auth.json" in carbonator. Still I found some servlet requests never called. I guess I have to get my extender. Is there anyway to import the the request from a text or json file that I export from the GUI?

PortSwigger Agent | Last updated: Jun 18, 2018 06:54AM UTC