skip to Main Content
Talk to a Security Expert Now: (800) 721-9177

Advanced Burp Suite Automation

By converting Burp Suite Professional’s session files to XML we were able to automate the analysis of the results with XMLStarlet on the command line.
Using the IBurpExtender interface, we have now automated spidering and scanning in Burp as well: takes full advantage of the IBurpExtender interface and accepts a starting URL, output name, and optional cookie string on the command line. This tool will add the URL’s domain to Burp’s scope, and begin spidering the site, saving each URL discovered to a file. Every request and reply is passively scanned for issues, and every request with parameters is passed to Burp’s active scanner. Whenever an issue is encountered, a brief description of the severity and name of the issue is output to the command line, and full details are written to a file. Finally, when both spidering and scanning are complete, a session file is saved, allowing an engineer to resume testing and focus on the interesting issues with the intruder and repeater modules. The optional cookie string is used test content past login access, and appends the provided cookies to all of Burp’s requests during the testing. takes care of the burping for you. It handles the compilation and conversion of into a jar, and uses the recent command line -Djava.awt.headless=true flag introduced in the v1.3.08 version of Burp to run the scanning completely headless, allowing you to offload the bulk of the traffic to an offsite box. It also handles the passing of command-line parameters to Burp Suite, as well right arguments to automate the testing.

To run these tools, you need a licensed copy of Burp Suite Professional, and to compile you also need IBurpExtender’s java files from in a burp subdirectory. For convenience, I have packaged everything you need, including the compiled class and jar file into the following archive Unzip this into your Burp Suite directory and run chmod +x ./; ./ to get started. Here’s an example:

$ ./
Automated Burp Suite spidering and scanning tool

	URL = Start URL to start spidering from
	OUTNAME = Filename w/o extension to save files
	Cookie = Optional cookie string to append to all HTTP requests

$ ./ example "CookieMonster=LikesCookies"
suite: method BurpExtender.processProxyMessage() found
suite: method BurpExtender.processHttpMessageMethod() found
suite: method BurpExtender.registerExtenderCallbacks() found
suite: method BurpExtender.setCommandLineArgs() found
suite: method BurpExtender.applicationClosing() found
suite: method BurpExtender.newScanIssue() found
proxy: proxy service started on port 8080
scanner: live active scanning is enabled - any in-scope requests made via Burp Proxy will be scanned
suite: Attempting to restore state from ''
proxy: proxy service stopped on port 8080
proxy: proxy service started on port 8080
scanner: live active scanning is enabled - any in-scope requests made via Burp Proxy will be scanned
suite: Adding to scope, spider and scanner
suite: Including 'Cookie: CookieMonster=LikesCookies' to all in-scope requests. This will not appear in Burp's logs.
suite: Starting spider on at Mon Sep 20 9:00:01 PDT 2010
suite: Monitor thread started at Mon Sep 20 9:00:05 PDT 2010 and waiting for spider to complete
suite: Monitor thread started and waiting for spider to complete
scanner: Low Cookie without HttpOnly flag set: http:/
scanner: High Cleartext submission of password:
scanner: Low Password field with autocomplete enabled:
scanner: High XPath injection:
suite: Spidering complete at Mon Sep 20 9:10:01 PDT 2010, waiting for scanning completion
suite: 18 remaining objects in scan queue at Mon Sep 20 9:10:05 PDT 2010
suite: 14 remaining objects in scan queue at Mon Sep 20 9:10:35 PDT 2010
scanner: High SQL injection:
suite: 9 remaining objects in scan queue at Mon Sep 20 9:11:05 PDT 2010
suite: 6 remaining objects in scan queue at Mon Sep 20 9:11:35 PDT 2010
scanner: High XSS injection:
scanner: High XSS injection:
suite: 3 remaining objects in scan queue at Mon Sep 20 9:12:05 PDT 2010
suite: Scanning complete at Mon Sep 20 9:12:35 PDT 2010. Saving session results to
proxy: proxy service stopped on port 8080
Deleting temporary files - please wait ... done.

$ file example.*
example.issues: ASCII English text, with very long lines
example.urls:   ASCII text    Zip archive data, at least v2.0 to extract
$ unzip -l
  Length      Date    Time    Name
---------  ---------- -----   ----
    38021  2010-09-20 09:40   burp
---------                     -------
    38021                     1 file

Happy hacking:

The Shell Shakespear (Paul Haas)

This Post Has One Comment
  1. Hey Paul, great work! I was directed here by a Jason Haddix article I read. I want to use this script but wondering if it will work with the new version of Burp. If so, can you please explain the exact to steps to get it functioning properly. I am running Burp 1.7.4 I believe on Kali Sana .


Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top