Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Use of multiple URL's with plugin: Burp Scan

Govind Sureka Aug 22, 2019 12:53PM UTC

Hello Team,
We are using Jenkins for Continuous Integration of Burp Enterprise. We are using 'Burp Scan' plugin in the Build section of Jenkins Freestyle Project job creation.

When scanning the web application in Burp Enterprise we are able to put 2 URL's for the scan whereas in Jenkins plugin could you please let us know how to use 2 or more URL's.

Thanks,
Govind


Liam Tai-Hogan Aug 23, 2019 01:34PM UTC Support Center agent

Hi Govind

Thanks for your message.

You can add additional URLs by echoing BURP_SCAN_URL.

Please let us know if you need any further assistance.


Govind Sureka Aug 26, 2019 07:20AM UTC
I know, we can add URL by using the option: echoing BURP_SCAN_URL. I want to add 2 URL's in 1 Job. Here are the URL's that I want to add, please suggest how that will work.

First URL: https://eamsso.inside.ams1907.com/pub/eam/login.fcc?TYPE=33554433&REALMOID=06-ce399f48-fb0c-4c23-a8f0-353ac90890b0&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-fcutVSTREgezzIIP7A65Xef122oUQ9jiZeJ0jdjaCj%252bCgg%252bZfU2z7G2vW02eiISg7wEEyJU9TiaCFuD%252bCUYYWVn5s%252bIJci1h&TARGET=-SM-https%253a%252f%252fetsweb16.inside.ams1907.com%252f
Second URL: https://etsweb16.inside.ams1907.com/

Thanks,
Govind

Mike Eaton Aug 27, 2019 02:22PM UTC Support Center agent

Hi Govind,

You can add additional URL’s by using multiple ‘echo BURP_SCAN_URL’ lines with your required URL’s in the command input area of the Jenkins plugin.

We have a blog post which provides information on how to setup different CI integrations with Burp Suite: https://portswigger.net/blog/enterprise-edition-ci-integration

Please let us know if you need any further assistance.


Govind Sureka Sep 26, 2019 10:57AM UTC
Hello Mike,

I am using these two URL's:

https://eamsso.inside.ams1907.com/pub/eam/login.fcc?TYPE=33554433&REALMOID=06-ce399f48-fb0c-4c23-a8f0-353ac90890b0&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=07wTM93aLmTImU5njct6SljwjA5IZlvlEORweURL11bksRhluJw3j45WO2NAjD2mqHUYd0sdJM9Y7R4dosXrIxL23bIP0q5n&TARGET=-SM-https%253a%252f%252fbcc16.inside.ams1907.com%252f

https://bcc16.inside.ams1907.com/home/dashboard

However Jenkins is giving this error, see console output. Suggest how to overcome this

Jenkins Console:
Started by user XYZ
Building remotely on UFT_EntAutomation_N1 (uft-ent-n1) in workspace C:\Program Files\Jenkins\UFT_EntAutomation_N1\workspace\jenkinsmaster-5\ENT\EntAutomation\Burp_Suite_Jobs\bcc_2_url
[bcc_2_url] $ cmd /c call C:\WINDOWS\TEMP\jenkins7420068844356514790.bat

C:\Program Files\Jenkins\UFT_EntAutomation_N1\workspace\jenkinsmaster-5\ENT\EntAutomation\Burp_Suite_Jobs\bcc_2_url>echo BURP_SCAN_URL=https://eamsso.inside.ams1907.com/pub/eam/login.fcc?TYPE=33554433 & REALMOID=06-ce399f48-fb0c-4c23-a8f0-353ac90890b0 & GUID= & SMAUTHREASON=0 & METHOD=GET & SMAGENTNAME=07wTM93aLmTImU5njct6SljwjA5IZlvlEORweURL11bksRhluJw3j45WO2NAjD2mqHUYd0sdJM9Y7R4dosXrIxL23bIP0q5n & TARGET=-SM-https53a52f52fbcc16.inside.ams1907.com52f
BURP_SCAN_URL=https://eamsso.inside.ams1907.com/pub/eam/login.fcc?TYPE=33554433
'REALMOID' is not recognized as an internal or external command,
operable program or batch file.
'GUID' is not recognized as an internal or external command,
operable program or batch file.
'SMAUTHREASON' is not recognized as an internal or external command,
operable program or batch file.
'METHOD' is not recognized as an internal or external command,
operable program or batch file.
'SMAGENTNAME' is not recognized as an internal or external command,
operable program or batch file.
'TARGET' is not recognized as an internal or external command,
operable program or batch file.

C:\Program Files\Jenkins\UFT_EntAutomation_N1\workspace\jenkinsmaster-5\ENT\EntAutomation\Burp_Suite_Jobs\bcc_2_url>echo BURP_SCAN_URL=https://bcc16.inside.ams1907.com/home/dashboard
BURP_SCAN_URL=https://bcc16.inside.ams1907.com/home/dashboard

C:\Program Files\Jenkins\UFT_EntAutomation_N1\workspace\jenkinsmaster-5\ENT\EntAutomation\Burp_Suite_Jobs\bcc_2_url>exit 9009
Build step 'Execute Windows batch command' marked build as failure
Finished: FAILURE

Mike Eaton Sep 27, 2019 08:05AM UTC Support Center agent

Hi Govind,

Looking at the output from your command, it appears that windows thinks your URL’s are individual commands. This can be resolved by placing your URL’s in quotation marks e.g. ‘example.org’.

If you could try adding those to your URLs and trying again it should resolve your issue.

Please let us know if you need any further assistance.


Govind Sureka Sep 27, 2019 10:31AM UTC
Hello Mike,
Thanks for your reply. I did as suggested by you. The job ran but it's not available in Burp Enterprise, might be due to URL from Jenkins is not matching from those in Enterprise. Please let me know what change I need to do so that job triggered by Jenkins should be available in Enterprise. Please note that when URL in Jenkins job matches with URl in Burp Enterprise then it shows the scanning in Enterprise.

Console Logs:

Started by user Dasari Rakesh (CVC8DZC)
Building remotely on UFT_EntAutomation_N1 (uft-ent-n1) in workspace C:\Program Files\Jenkins\UFT_EntAutomation_N1\workspace\jenkinsmaster-5\ENT\EntAutomation\Burp_Suite_Jobs\bcc_2_url
[bcc_2_url] $ cmd /c call C:\WINDOWS\TEMP\jenkins3841756890656405065.bat

C:\Program Files\Jenkins\UFT_EntAutomation_N1\workspace\jenkinsmaster-5\ENT\EntAutomation\Burp_Suite_Jobs\bcc_2_url>echo BURP_SCAN_URL=https://eamsso.inside.ams1907.com/pub/eam/login.fcc?TYPE=33554433'REALMOID=06-ce399f48-fb0c-4c23-a8f0-353ac90890b0''GUID=''SMAUTHREASON=0''METHOD=GET''SMAGENTNAME=07wTM93aLmTImU5njct6SljwjA5IZlvlEORweURL11bksRhluJw3j45WO2NAjD2mqHUYd0sdJM9Y7R4dosXrIxL23bIP0q5n''TARGET=-SM-https53a52f52fbcc16.inside.ams1907.com52f'
BURP_SCAN_URL=https://eamsso.inside.ams1907.com/pub/eam/login.fcc?TYPE=33554433'REALMOID=06-ce399f48-fb0c-4c23-a8f0-353ac90890b0''GUID=''SMAUTHREASON=0''METHOD=GET''SMAGENTNAME=07wTM93aLmTImU5njct6SljwjA5IZlvlEORweURL11bksRhluJw3j45WO2NAjD2mqHUYd0sdJM9Y7R4dosXrIxL23bIP0q5n''TARGET=-SM-https53a52f52fbcc16.inside.ams1907.com52f'

C:\Program Files\Jenkins\UFT_EntAutomation_N1\workspace\jenkinsmaster-5\ENT\EntAutomation\Burp_Suite_Jobs\bcc_2_url>echo BURP_SCAN_URL=https://bcc16.inside.ams1907.com/home/dashboard
BURP_SCAN_URL=https://bcc16.inside.ams1907.com/home/dashboard

C:\Program Files\Jenkins\UFT_EntAutomation_N1\workspace\jenkinsmaster-5\ENT\EntAutomation\Burp_Suite_Jobs\bcc_2_url>exit 0
BURP_SCAN_STATUS: initializing
BURP_SCAN_STATUS: crawling
BURP_SCAN_STATUS: auditing

BURP_SCAN_STATUS: succeeded
BURP_SCAN_SUMMARY: requests made: 13270, network errors: 14

Finished: SUCCESS

Mike Eaton Sep 30, 2019 09:08AM UTC Support Center agent

Hi Govind,

From the information provided, it looks like your scan succeeded, however, it could be the permissions that your account has in Enterprise that is preventing you from seeing the scan results.

You should contact your system administrator to review your permissions that should resolve your issue, if not we can help diagnose further from there.

Please let us know if you need any further assistance.


Govind Sureka Sep 30, 2019 02:41PM UTC
Hello Mike,

If I scan a application with URL having limited options (without use of ' (single quote)) then the Jenkins job scan is available in Enterprise. If the URL used for scanning contains multiple options by using ' (single quote) then those jobs are not available in Enterprise.

Please let me know how I can share the job details. The URL under test are available in UPS network only.

Thanks,
Govind

Mike Eaton Oct 01, 2019 09:33AM UTC Support Center agent

Hi Govind,

Can you provide an example of the URL parameter you are attempting to parse into the Jenkins plugin for Burp Suite Enterprise?


Govind Sureka Oct 01, 2019 11:57AM UTC
Hello Mike,

We are using this URL for scanning:
https://eamsso.inside.ams1907.com/pub/eam/login.fcc?TYPE=33554433&REALMOID=06-ce399f48-fb0c-4c23-a8f0-353ac90890b0&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=07wTM93aLmTImU5njct6Sl
jwjA5IZlvlEORweURL11bksRhluJw3j45WO2NAjD2mqHUYd0sdJM9Y7R4dosXrIxL23bIP0q5n&TARGET=-SM-https%253a%252f%252fbcc16.inside.ams1907.com%252f

Please let me the solution to use this URL in Jenkins job so that the scan should be available in Enterprise Burp.

Thanks,
Govind

Liam Tai-Hogan Oct 02, 2019 01:34PM UTC Support Center agent

Hi Govind

Have you checked the box for “Display sites generated by the API:” in the Sites and Scan data settings?

Have you checked the Enterprise Site Tree to locate the URL you are scanning?


Govind Sureka Oct 02, 2019 05:59PM UTC
Hello Liam,
Thanks, could you please provide the screenshot for these settings as I don't have access to the settings. I need to request the admin of Burp Enterprise.

Thanks,
Govind

Liam Tai-Hogan Oct 03, 2019 11:00AM UTC Support Center agent

Govind, we can’t send screenshots via the forum. Could you email us with this request to support@portswigger.net? Thanks.


Post Your public answer

Your name
Your email address
Answer