Advanced Burp Suite Automation

By converting Burp Suite Professional’s session files to XML we were able to automate the analysis of the results with XMLStarlet on the command line.
Using the IBurpExtender interface, we have now automated spidering and scanning in Burp as well:

BurpExtender.java takes full advantage of the IBurpExtender interface and accepts a starting URL, output name, and optional cookie string on the command line. This tool will add the URL’s domain to Burp’s scope, and begin spidering the site, saving each URL discovered to a file. Every request and reply is passively scanned for issues, and every request with parameters is passed to Burp’s active scanner. Whenever an issue is encountered, a brief description of the severity and name of the issue is output to the command line, and full details are written to a file. Finally, when both spidering and scanning are complete, a session file is saved, allowing an engineer to resume testing and focus on the interesting issues with the intruder and repeater modules. The optional cookie string is used test content past login access, and appends the provided cookies to all of Burp’s requests during the testing.

sodapop.sh takes care of the burping for you. It handles the compilation and conversion of BurpExtender.java into a jar, and uses the recent command line -Djava.awt.headless=true flag introduced in the v1.3.08 version of Burp to run the scanning completely headless, allowing you to offload the bulk of the traffic to an offsite box. It also handles the passing of command-line parameters to Burp Suite, as well right arguments to automate the testing.

To run these tools, you need a licensed copy of Burp Suite Professional, and to compile BurpExtender.java you also need IBurpExtender’s java files from http://portswigger.net/misc/ in a burp subdirectory. For convenience, I have packaged everything you need, including the compiled class and jar file into the following archive sodapop.zip. Unzip this into your Burp Suite directory and run chmod +x ./sodapop.sh; ./sodapop.sh to get started. Here’s an example:


$ ./sodapop.sh
...
Automated Burp Suite spidering and scanning tool

Usage: URL OUTNAME {COOKIE STRING}
	URL = Start URL to start spidering from
	OUTNAME = Filename w/o extension to save files
	Cookie = Optional cookie string to append to all HTTP requests

$ ./sodapop.sh www.example.com example "CookieMonster=LikesCookies"
suite: method BurpExtender.processProxyMessage() found
suite: method BurpExtender.processHttpMessageMethod() found
suite: method BurpExtender.registerExtenderCallbacks() found
suite: method BurpExtender.setCommandLineArgs() found
suite: method BurpExtender.applicationClosing() found
suite: method BurpExtender.newScanIssue() found
proxy: proxy service started on port 8080
scanner: live active scanning is enabled - any in-scope requests made via Burp Proxy will be scanned
suite: Attempting to restore state from 'sodacan.zip'
proxy: proxy service stopped on port 8080
proxy: proxy service started on port 8080
scanner: live active scanning is enabled - any in-scope requests made via Burp Proxy will be scanned
suite: Adding www.example.com to scope, spider and scanner
suite: Including 'Cookie: CookieMonster=LikesCookies' to all in-scope requests. This will not appear in Burp's logs.
suite: Starting spider on http://www.example.com:80/ at Mon Sep 20 9:00:01 PDT 2010
suite: Monitor thread started at Mon Sep 20 9:00:05 PDT 2010 and waiting for spider to complete
suite: Monitor thread started and waiting for spider to complete
scanner: Low Cookie without HttpOnly flag set: http:/www.example.com:80/
scanner: High Cleartext submission of password: http://www.example.com:80/login/
scanner: Low Password field with autocomplete enabled: http://www.example.com:80/login/
scanner: High XPath injection: http://www.example.com:80/api/access/
suite: Spidering complete at Mon Sep 20 9:10:01 PDT 2010, waiting for scanning completion
suite: 18 remaining objects in scan queue at Mon Sep 20 9:10:05 PDT 2010
suite: 14 remaining objects in scan queue at Mon Sep 20 9:10:35 PDT 2010
scanner: High SQL injection: http://www.example.com:80/shoppingcart/
suite: 9 remaining objects in scan queue at Mon Sep 20 9:11:05 PDT 2010
suite: 6 remaining objects in scan queue at Mon Sep 20 9:11:35 PDT 2010
scanner: High XSS injection: http://www.example.com:80/contactus/
scanner: High XSS injection: http://www.example.com:80/search/
suite: 3 remaining objects in scan queue at Mon Sep 20 9:12:05 PDT 2010
suite: Scanning complete at Mon Sep 20 9:12:35 PDT 2010. Saving session results to example.zip
proxy: proxy service stopped on port 8080
Deleting temporary files - please wait ... done.

$ file example.*
example.issues: ASCII English text, with very long lines
example.urls:   ASCII text
example.zip:    Zip archive data, at least v2.0 to extract
$ unzip -l example.zip
Archive:  example.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
    38021  2010-09-20 09:40   burp
---------                     -------
    38021                     1 file

Happy hacking: sodapop.zip

The Shell Shakespear (Paul Haas)

Posted on by The Shell Shakespear Posted in Redspin Labs | Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>