Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Unable to run burp using CLI headless mode.

Ankit | Last updated: Feb 28, 2020 12:32PM UTC

Hey! I am struggling to generate report with burp using CLI.It just works fine when i run burp suite through GUI. But when i try running it through CLI in headless mode it just do something and shut down showing deleting some file. I am running like this. java -Djava.awt.headless=true -jar /home/ankit/burpsuite/burpsuite_pro_v2020.1.jar http localhost 80/folder I have few qusetions: 1. What should we replace this http localhost 80/folder with if we have to scan a website say https://codepark.in 2. Do i need to have any extension installed, like i have carbonator installed already. 3. Why it is not generating report in the burpsuite path.

Hannah, PortSwigger Agent | Last updated: Feb 28, 2020 01:37PM UTC

Hi Ankit Thank you for your message. Can you tell me whether you are using the Burp Suite command-line arguments and REST API (https://portswigger.net/support/using-burp-suites-command-line-arguments, https://portswigger.net/blog/burps-new-rest-api), or some other method? Cheers Hannah Law Technical Product Specialist PortSwigger Web Security

Ankit | Last updated: Feb 28, 2020 03:29PM UTC

I am using burpsuite command line argument.

Ankit | Last updated: Feb 28, 2020 04:04PM UTC

Hey! I am not using rest api in this case I am trying to scan and generate report using carbonator.

Hannah, PortSwigger Agent | Last updated: Feb 28, 2020 04:29PM UTC

Hi Ankit It looks like Carbonator may be broken with newer versions of Burp (https://github.com/integrissecurity/carbonator/issues/15). Extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose. To fix Carbonator, you would either have to get in contact with the authors to ask them to fix it or fork their repository to fix it yourself. You could try using Burp's native command-line arguments to start Burp and then interact with it using the REST API (User options > Misc > REST API). Cheers Hannah Law Technical Product Specialist PortSwigger Web Security

Ankit | Last updated: Feb 28, 2020 04:52PM UTC

Ok can we automate the scanning process using burp rest api. Like can we log in to burpsuite and perform the scanning process and generate the report using cli. If yes can you recommend me some blog to follow because i am new to burpsuite.

Ankit | Last updated: Feb 29, 2020 10:59AM UTC

Hii!! I am creating my own extension api. Do we have a callback method to send our seed url for auditing.

Ankit | Last updated: Feb 29, 2020 11:33AM UTC

Baically i want to do both crawl and audit for my url. But as of now it is only crawling not auditing as i can see when the burp suite launches the audit is disabled.

Hannah, PortSwigger Agent | Last updated: Mar 02, 2020 09:46AM UTC

Hi Ankit So to begin with, you would need to launch Burp using the command line arguments. You would need to make sure that your REST API is up and running, after enabling it as part of your user options. You can check that it's up by navigating to the port that it's on in your browser. From there, if you click the /scan endpoint, a popup should appear with configuration options. From here you can configure what is to be scanned, as well as various other options. If you copy that curl command and issue it (or click "Send request), that should trigger a scan to start running in Burp. A scan consists of both a crawl and audit. So first Burp will crawl your site to find as many pages as it can, then it will audit those pages. Once completed, you need a report generated. You cannot automatically generate a report from the REST API, so you would need to either go into Burp to retrieve your report, utilize an existing extension that can automatically send your results to an external entity or write your own extension to, once the scan has finished, collate the issues and generate a report. With regards to "I am creating my own extension api. Do we have a callback method to send our seed url for auditing.", you would probably be looking at the function "doActiveScan" in IBurpExtenderCallbacks. Please let us know if you need any further assistance. Cheers Hannah Law Technical Product Specialist PortSwigger Web Security

Ankit | Last updated: Mar 02, 2020 08:05PM UTC

Hiii!! Thank you so much for the response. I just had one more question can we add the extension that i have created to burp suite using commandeline. As i want to run everything in docker is there any way to do that. If i try to upload my jar file on github and try to pull it in runtime will that work..?? I have added the extension manually as of now.

Hannah, PortSwigger Agent | Last updated: Mar 03, 2020 11:48AM UTC

If you have the extension loaded in manually, it should stay loaded in when you're using it. If you use the CLI to print the diagnostics on startup, it should tell you what extensions you have installed. Any non-BAppStore extensions should appear as "Custom".

Ankit | Last updated: Mar 03, 2020 08:10PM UTC

Thank you i have figured out the way using user config file. Is there any way to run burp pro to run in headless mode inside docker.

Ankit | Last updated: Mar 03, 2020 08:10PM UTC

Thank you i have figured out the way using user config file. Is there any way to run burp pro to run in headless mode inside docker.

Ankit | Last updated: Mar 03, 2020 08:10PM UTC

Thank you i have figured out the way using user config file. Is there any way to run burp pro to run in headless mode inside docker.

Ankit | Last updated: Mar 04, 2020 09:45AM UTC

Like i have burpsuite up and running on my local machine and then with my configured extension. Can i package this into docker

Hannah, PortSwigger Agent | Last updated: Mar 04, 2020 09:47AM UTC

This is a fairly detailed blog post on how to run Burp in a Docker container: https://www.marcolancini.it/2018/blog-docker-burp/ You would need to change the command used to launch Burp in the example to specify all of your command-line arguments.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.