Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

How to scan all urls of a webpage from command line.

Anjani Deo May 31, 2018 09:53AM UTC

Hi Team,

I have used carbonate to san url from the command line where i can pass one url at a time and it scans the url and gives me the HTML report. Can i scan all the urls of a webpage from command line at a time.

Please help.

Thanks and Regards,
Anjani.


Paul Johnston May 31, 2018 10:05AM UTC Support Center agent

Hi Anjani,

Thanks for your message. When you give Carbonator a URL, it will do a Spider to discover all the URLs on that site, then scan all of them. What I recommend you do is run Burp and Carbonator, but NOT in headless mode. When Carbonator is finished, you can look in the Burp UI – especially Site Map and Scan Queue – to see what it has done.


Anjani Deo May 31, 2018 11:14AM UTC
Hi Paul,

Thanks for your reply. It was a great help.

I tried without headless and observed result. It scanned the file which i have mentioned below in the command line.

I am using this command in my simple command prompt : java -jar -Xmx2g -Djava.awt.headless=true "D:\URLs\Security Testing\burpsuite_pro_1.7.33.jar" --config-file="D:\URLs\Security Testing\t.json" http localhost 8088 /WebApplication1/web/login.jsp /folder

I am not sure how the carbonator is being in this. Will carbonator be called automatically internally if it is present in the Extender list.

If i have a folder where i have multiple .jso files and i want to scan all of them in one go then how to do that.

Please help.

Thanks and Regards,
Anjani.

Paul Johnston May 31, 2018 01:03PM UTC Support Center agent

Hi Anjani,

Thanks for following up. Carbonator is invoked automatically when you start Burp, and if it sees command line arguments it will start a scan.

Instead of telling Carbonator a page, you’re better giving it a prefix, like /WebApplication1/web/ It should then find everything under the prefix and scan it all.

We’re aware that Carbonator is quite limited. We’re working on improvements to Burp that will implement similar – but much improved – functionality within core Burp.

Please let us know if you need any further assistance.


Anjani Deo May 31, 2018 01:37PM UTC
Hi Paul,

Thanks for your reply. I tried the below command :

java -jar -Xmx2g -Djava.awt.headless=true "D:\URLs\Security Testing\burpsuite_pro_1.7.33.jar" --config-file="D:\URLs\Security Testing\t.json" http localhost 8088 /WebApplication1/web/ /folder

even tried : java -jar -Xmx2g -Djava.awt.headless=true "D:\URLs\Security Testing\burpsuite_pro_1.7.33.jar" --config-file="D:\URLs\Security Testing\t.json" http localhost 8088 /WebApplication1/web/

It is not scanning any file. I have 2 .jsp files in the path /WebApplication1/web/

Please help.



Thanks and Regards,
Anjani.

Paul Johnston Jun 01, 2018 03:01PM UTC Support Center agent

Hi Anjani,

Ok, I think you are hitting the limits of Carbonator here. The only way would be to invoke Carbonator multiple times from a batch file or shell script.

You could try Headless Burp. This is similar to Carbonator but works a little differently:

- https://github.com/NetsOSS/headless-burp

Failing that, you’ll either have to code your own extension, or wait for this functionality to be part of core Burp.


Post Your public answer

Your name
Your email address
Answer