Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

How to scan all urls of a webpage from command line.

Anjani Deo May 31, 2018 09:53AM UTC

Hi Team,

I have used carbonate to san url from the command line where i can pass one url at a time and it scans the url and gives me the HTML report. Can i scan all the urls of a webpage from command line at a time.

Please help.

Thanks and Regards,
Anjani.


Paul Johnston May 31, 2018 10:05AM UTC Support Center agent

Hi Anjani,

Thanks for your message. When you give Carbonator a URL, it will do a Spider to discover all the URLs on that site, then scan all of them. What I recommend you do is run Burp and Carbonator, but NOT in headless mode. When Carbonator is finished, you can look in the Burp UI – especially Site Map and Scan Queue – to see what it has done.


Anjani Deo May 31, 2018 11:14AM UTC
Hi Paul,

Thanks for your reply. It was a great help.

I tried without headless and observed result. It scanned the file which i have mentioned below in the command line.

I am using this command in my simple command prompt : java -jar -Xmx2g -Djava.awt.headless=true "D:\URLs\Security Testing\burpsuite_pro_1.7.33.jar" --config-file="D:\URLs\Security Testing\t.json" http localhost 8088 /WebApplication1/web/login.jsp /folder

I am not sure how the carbonator is being in this. Will carbonator be called automatically internally if it is present in the Extender list.

If i have a folder where i have multiple .jso files and i want to scan all of them in one go then how to do that.

Please help.

Thanks and Regards,
Anjani.

Paul Johnston May 31, 2018 01:03PM UTC Support Center agent

Hi Anjani,

Thanks for following up. Carbonator is invoked automatically when you start Burp, and if it sees command line arguments it will start a scan.

Instead of telling Carbonator a page, you’re better giving it a prefix, like /WebApplication1/web/ It should then find everything under the prefix and scan it all.

We’re aware that Carbonator is quite limited. We’re working on improvements to Burp that will implement similar – but much improved – functionality within core Burp.

Please let us know if you need any further assistance.


Anjani Deo May 31, 2018 01:37PM UTC
Hi Paul,

Thanks for your reply. I tried the below command :

java -jar -Xmx2g -Djava.awt.headless=true "D:\URLs\Security Testing\burpsuite_pro_1.7.33.jar" --config-file="D:\URLs\Security Testing\t.json" http localhost 8088 /WebApplication1/web/ /folder

even tried : java -jar -Xmx2g -Djava.awt.headless=true "D:\URLs\Security Testing\burpsuite_pro_1.7.33.jar" --config-file="D:\URLs\Security Testing\t.json" http localhost 8088 /WebApplication1/web/

It is not scanning any file. I have 2 .jsp files in the path /WebApplication1/web/

Please help.



Thanks and Regards,
Anjani.

Paul Johnston Jun 01, 2018 03:01PM UTC Support Center agent

Hi Anjani,

Ok, I think you are hitting the limits of Carbonator here. The only way would be to invoke Carbonator multiple times from a batch file or shell script.

You could try Headless Burp. This is similar to Carbonator but works a little differently:

- https://github.com/NetsOSS/headless-burp

Failing that, you’ll either have to code your own extension, or wait for this functionality to be part of core Burp.


Post Your public answer

Your name
Your email address
Answer