Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

How to activate Burp Suite inside Docker image?

Frank | Last updated: Jul 10, 2023 01:27PM UTC

Hi, I have tried to create a docker with the pro version of Burp following this article https://burpsuite.guide/blog/activate-burpsuite-inside-docker-container/ using method 2, and there is no way every time I run docker ( java -Djava.awt.headless=true -jar burpsuite.jar), it always asks me to activate the license. I don't see an error, I've tried activating the manual license, and online it doesn't give me any error, but every time I run again, Burp asks me for the license. Could someone give me a clue what I'm doing wrong? I've tried the latest version of Burp (Version 2023.6.2 (2023.6.2)) with several licenses, and I always get the same result. I also tried the version that appears in the article, and the same thing always asks me to activate the license. Here is the dockerfile I am testing: FROM openjdk:17-jdk-slim WORKDIR /root RUN apt-get -qq update && apt-get install -y curl wget expect #I have tried both ways getting the burp from the website, and another having a local version in the bin folder #RUN wget -q -O burpsuite.jar "https://portswigger.net/burp/releases/download?product=pro&version=2021.5.1&type=Jar" ADD bin/* /root/ COPY license.txt /root/license.txt COPY activate /root/activate RUN expect activate EXPOSE 8080 EXPOSE 1337 I have tried using activate and manually from the docker terminal, and always the same every time I run: java -Djava.awt.headless=true -jar burpsuite.jar i get This version of Burp requires a license key. To continue, please paste your license key below. Regards, Frank

Dominyque, PortSwigger Agent | Last updated: Jul 11, 2023 09:11AM UTC

Hi Frank Please note that we do not support this functionality, so there is no documentation for this. The article written is not by Portswigger. Spinning up docker images would force you to quickly hit your activation limit. Thus, we do not recommend using this method.

Frank | Last updated: Jul 11, 2023 01:08PM UTC

Thanks for your answer. Could you clarify the limit (quickly hit your activation limit)? In the scenario that I need to run an instance of burp against several different websites (Burp1 -> website1, Burp2 -> website2, and so on), what would you recommend, with the Pro version through the API? or the enterprise version would be appropriate, any advice would be appreciated. Regards, Frank

Dominyque, PortSwigger Agent | Last updated: Jul 12, 2023 06:28AM UTC

Hi Frank The Professional licenses come with a certain number of activations, and sometimes, given the use case, if a customer hits the limit, we can provide them with a few more activations. In this case, we would be less inclined to want to keep giving more activations due to how many additional activations would be needed. So that I can get a bit more information on your workflow: Can I ask why you are using Docker for this? Is there a specific reason it can't be done on your physical machine or a VM? Would you be spinning up a Docker image, scanning a site, and then deleting that image? If this is the case, I highly recommend using Burp Suite Enterprise.

Frank | Last updated: Jul 12, 2023 04:56PM UTC

Thanks for your answer; what I'm trying to do is a flow where an application calls a Serverless API, and it runs the docker with burp; then, through the Burp API, I tell it the site I want to scan, and when it finishes reading the results, and I release the docker, that way I don't have a Virtual machine or a dedicated AWS EC2, I want to run it a few times a week. Any advice is welcome. Regards, Frank

Dominyque, PortSwigger Agent | Last updated: Jul 13, 2023 08:29AM UTC

Hi Frank Thank you for expanding. Burp Suite Professional is not designed to be used this way, considering your desired workflow. It is more intended to be used on a permanent physical machine/ virtual machine. Therefore, I think Burp Enterprise might be a better fit for you. Here is a link to documentation detailing more information on our Enterprise edition: https://portswigger.net/burp/documentation/enterprise. Here is a link to our free trial: https://portswigger.net/burp/enterprise/trial Should you have any more questions regarding Enterprise and fitting this into your workflow, you can email support@portswigger.net

Frank | Last updated: Jul 13, 2023 01:02PM UTC

Thank you for your answer Dominyque. I am evaluating the enterprise version; I see that it has an API very similar to the Pro version; it would be possible in that version using the API: 1 - Create the site 2 - Setup the scanner and the extensions for that site 3 - Create a schedule to perform the scan. 4 - Trigger a call to an endpoint if a critical vulnerability is found, for example. Do you have any repository or example of using the API? Regards, Frank

Thomas, PortSwigger Agent | Last updated: Jul 13, 2023 01:33PM UTC

Hi Frank, The REST API used with Professional can also be used with Burp Suite Enterprise, but it is missing many of the functions that are unique to Enterprise. For interacting with Burp Suite Enterprise, we recommend using our GraphQL endpoint. I have linked the documentation for this below. https://portswigger.net/burp/extensibility/enterprise/graphql-api/queries.html Using GraphQL, you can do most of the steps you are asking, excluding calls to specific endpoints, but not in that order. Please refer to the steps below to see how your use case would work in GraphQL. 1 - Create your Scan Configuration(s) 2 - Create the site (including extensions to be used and scan configuration(s)) 3 - Create a schedule for the site 4a - Extract issues after scan completion based on severity level/specific issues (instead of calls to an endpoint, you can run this after scan completion) 4b - Setup email recipient for scan completion alert Please let me know if you have any further questions.

Frank | Last updated: Jul 13, 2023 09:10PM UTC

Thanks for your help; I have a question, can Burp Enterprise notify an endpoint when a scan is complete without polling the API to find out what's finished? What is the best practice to detect that a scan is finished and read the results, and determine if there are any critical vulnerabilities? Regards, Frank

Thomas, PortSwigger Agent | Last updated: Jul 14, 2023 09:59AM UTC