Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

How to scan all urls of a webpage from command line.

Anjani | Last updated: May 31, 2018 09:53AM UTC

Hi Team, I have used carbonate to san url from the command line where i can pass one url at a time and it scans the url and gives me the HTML report. Can i scan all the urls of a webpage from command line at a time. Please help. Thanks and Regards, Anjani.

PortSwigger Agent | Last updated: May 31, 2018 10:03AM UTC

Hi Anjani, Thanks for your message. When you give Carbonator a URL, it will do a Spider to discover all the URLs on that site, then scan all of them. What I recommend you do is run Burp and Carbonator, but NOT in headless mode. When Carbonator is finished, you can look in the Burp UI - especially Site Map and Scan Queue - to see what it has done.

Burp User | Last updated: May 31, 2018 11:14AM UTC

Hi Paul, Thanks for your reply. It was a great help. I tried without headless and observed result. It scanned the file which i have mentioned below in the command line. I am using this command in my simple command prompt : java -jar -Xmx2g -Djava.awt.headless=true "D:\URLs\Security Testing\burpsuite_pro_1.7.33.jar" --config-file="D:\URLs\Security Testing\t.json" http localhost 8088 /WebApplication1/web/login.jsp /folder I am not sure how the carbonator is being in this. Will carbonator be called automatically internally if it is present in the Extender list. If i have a folder where i have multiple .jso files and i want to scan all of them in one go then how to do that. Please help. Thanks and Regards, Anjani.

PortSwigger Agent | Last updated: May 31, 2018 11:16AM UTC

Hi Anjani, Thanks for following up. Carbonator is invoked automatically when you start Burp, and if it sees command line arguments it will start a scan. Instead of telling Carbonator a page, you're better giving it a prefix, like /WebApplication1/web/ It should then find everything under the prefix and scan it all. We're aware that Carbonator is quite limited. We're working on improvements to Burp that will implement similar - but much improved - functionality within core Burp. Please let us know if you need any further assistance.

Burp User | Last updated: May 31, 2018 01:37PM UTC

Hi Paul, Thanks for your reply. I tried the below command : java -jar -Xmx2g -Djava.awt.headless=true "D:\URLs\Security Testing\burpsuite_pro_1.7.33.jar" --config-file="D:\URLs\Security Testing\t.json" http localhost 8088 /WebApplication1/web/ /folder even tried : java -jar -Xmx2g -Djava.awt.headless=true "D:\URLs\Security Testing\burpsuite_pro_1.7.33.jar" --config-file="D:\URLs\Security Testing\t.json" http localhost 8088 /WebApplication1/web/ It is not scanning any file. I have 2 .jsp files in the path /WebApplication1/web/ Please help. Thanks and Regards, Anjani.

PortSwigger Agent | Last updated: May 31, 2018 01:42PM UTC