Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Automating Burp scan

hanu | Last updated: Mar 31, 2015 04:46PM UTC

Hi, We are using Burp suite pro version. Is it possible to automate the Burp scanning so that we can integrate with the build? Like we have automation testing scripts which we integrated with the build using CI tool Jenkins. Is there any process to automate the burp scanning whenever there is a build, burp need to scan the UI automatically once the build is completed. Thanks, Hanu

PortSwigger Agent | Last updated: Apr 01, 2015 02:28PM UTC

Burp doesn't currently have this capability natively. There is an extension in the BApp Store called Carbonator that lets you launch Burp and specify some command line options to drive an automated crawl + scan + report. You might be able to use this as a wrapper to Burp within your CI pipeline.

PortSwigger Agent | Last updated: Apr 01, 2015 02:30PM UTC

Have you run Burp with a full UI to load the Carbonator extension? You need to do this once, then shut down Burp gracefully, to ensure that the Collaborator extension loads when you start Burp in headless mode.

Burp User | Last updated: Apr 22, 2015 07:32AM UTC

Hi, we are also trying to automate Burp Suite using Carbonator, but unsuccessfully. Using this line: C:\>java -jar -Xmx1g -Djava.awt.headless=true C:\Burp\burpsuite_pro_v1.6.16.jar http localapp/index.php 80 /result The localapp is defined in 'hosts' file, it is local application, can be opened in browser. We have also set proxy in IE 127.0.0.1 8080. The result is: Proxy: Proxy service started on 127.0.0.1:8080 Scanner: Live active scanning is enabled - any in-scope requests made via Burp Proxy will be scanned Suite: You appear to be using a 32-bit JVM. Please note that some planned Burp features will not be fully supported on 32-bit systems. It is no difference if it is running in headless mode or not, looks like scanning is not starting at all. Is there some tricks for local app?

Burp User | Last updated: Apr 22, 2015 09:06AM UTC

You are right - Carbonator was unloaded for some reason. Now this works fine, thanks you very much!

Burp User | Last updated: Jun 16, 2015 07:33AM UTC

Hello, One more question about using Carbonator : after scanning the target for the first time everything looks fine, it generates report and closes. After running Burp from command line for the second time, the target being moved to Exclude from scope (in first time the target was in Include to Scope). Why target is moved and how to include it for the second time? Thanks.

PortSwigger Agent | Last updated: Jun 16, 2015 02:10PM UTC

The Carbonator code adds the target URL to scope at the start of the scan, and then excludes it again at the end, so it ends up in the "exclude" list when Burp exits. But if you run Burp with Carbonator again, it should add the URL back to scope, which should remove it from the "exclude" list. If you're seeing a case where the target URL doesn't get scanned on the second occasion, because it had not been properly added to scope, let us know the details and we'll investigate further.

Burp User | Last updated: Jul 08, 2015 02:16PM UTC

Hi, that helped, thanks, I see with scope everything now works fine. Now I have some issues with scanning using Carbonator. After launching Burp with command line it spiders and scans web page, but we have noticed that it is not finding everything, so we need to go through the page to find all endpoints and etc. After going through page we select to spider the target, this action updates the list in 'Scanner' tab, but seems that scanning finishes earlier than all targets in Scanners list is scanned. I mean there is a number (in our case, a half) of targets which are not being scanned using command line (Carbonator), it just stops, creates the report and finishes. Is there any limits of targets in Scanner using Carbonator or any other things why it not scans everything in list? Thank you

PortSwigger Agent | Last updated: Jul 08, 2015 03:14PM UTC

If you are finding that a fully automated crawl is not sufficient to get full coverage of your target application, and you need to supplement this with some manual crawling, then we would suggest using Burp in the normal way, rather than relying on Carbonator. It's not completely clear why Carbonator is exiting while your scans are still in progress, but a likely explanation is that Carbonator detects that all its own scan items have finished and so exits. It doesn't know about the items you have sent for scanning yourself.

Burp User | Last updated: Dec 11, 2015 03:57PM UTC

Despite my attempts Carbonator begins to scan but exits early. I start carbonator with launch script, scan begins, then quickly ends, and shuts down. Should I be using a wildcard to force continued scanning of folders in root? Anyone else experience this or have a solution?

PortSwigger Agent | Last updated: Dec 14, 2015 09:21AM UTC

The Carbonator BApp isn't written or supported by the Burp Suite team, so we aren't able to advise on any problems or the likelihood of updates, sorry.

Burp User | Last updated: Apr 20, 2016 07:24AM UTC

Are there any updates on Carbonator? Is it still supported? Is 1.2 Version (from last year?) still the latest one? Is bugs fixed, how often are hotfixes sent out? Are the issues mentioned above resolved, with the driver exit before scaning completed? Could you explain how the noice/filter settings are working/remembered/maintained, if say you test frequently, like for each new build? Thank you

Burp User | Last updated: Sep 07, 2016 04:11PM UTC

Hi, Can we use the carbonator BApp or any API to stage scans, schedule scans for multiple apps periodically and send reports to respective stakeholders automatically? Thank you.

PortSwigger Agent | Last updated: Sep 08, 2016 07:56AM UTC

I believe that Carbonator can be used just to initiate a single crawl-and-scan of a target, starting immediately. So you would need to write your own logic for scheduling and reporting. In future, we plan to support these type of features natively within Burp.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.