Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Headless scan in BURP with bearer token

Klaas | Last updated: Apr 03, 2018 01:53PM UTC

I am trying to do some automated scanning with BURP in an ervironment that requires token authentication. For this purpose I need to login before each session to get a bearer token. This token is in the body of the login response. Now I need to get this token and put it in the header of all following requests. I intend to run this scan headless from a command prompt. What I have so far: I have created a Macro that does the login, I have created a custom parameter to hold the token that was returned in the body and I have added this Macro to the Session Handling rules. Now, how do I put my token from my custom parameter in the header of my next request, and how do I get my Macro to run before each session?

PortSwigger Agent | Last updated: Apr 03, 2018 01:56PM UTC

Hi Klaas, Thanks for your message. Unfortunately, you're hitting the limits of Session Handling Rules here. SHRs cannot place a token in an HTTP header. We are going to add that at some point, but in the meantime you can use the Custom Parameter Handler extension to do this. Also, there isn't a way to "run Macro at startup". What you can do is define a SHR for "Check session is valid" and have it run a macro if the session is invalid. You can have it invoke an extension afterward to pass value to Custom Parameter Handler. So the first request will attempt without a token, fail, this will be detected, then the login macro initiated. This has the additional advantage that if your session becomes invalid during the scan, this will attempt to login again. If you're able to do a little coding, it may be worth coding a custom extension for your needs. This is much more flexible than Session Handling Rules.

Burp User | Last updated: Apr 06, 2018 09:09AM UTC

Hi Paul, thanks, this looks usefull. I do know coding but I'm not very familiar with Java. I would like to use the available options as much as possible. Appending the header with the Custom Parameter Handler is working. Now I would like to run a headless scan using this plugin but that does not seem to work. I've tried running a scan headless but then the header is not added to the request. When I run BURP headless using the -project-file parameter then the scan does not start. My goal is to automatically run this scan daily from the command line. How do I get BURP to run an active scan in headless mode like it does in the GUI mode?

PortSwigger Agent | Last updated: Apr 06, 2018 09:16AM UTC

Hi Klaas, Understood. If you're familiar with Python or Ruby you can use those with Burp also. To run a headless scan you normally want to use the Carbonator extension. Be aware also of the --unpause-spider-and-scanner command-line option which you'll need to use if opening an existing project file. We're aware that the automation support is a bit basic at the moment. We are working on improvements to this. But in the meantime, Carbonator should get you going. Please let us know if you need any further assistance.

Burp User | Last updated: Apr 09, 2018 08:06AM UTC

Hi Paul, The scan is working now, so I'm making progress. I have a command that loads the project and loads my project and user options and starts the scan. This is what it looks like: java.exe -jar -Xmx4g [BURP jar file] --project-file [project] --config file [project settings].json --config-file [user settings].json --unpause-spider-and-scanner http localhost 7000 / However, the custom parameter handler does loose its configuration at startup, resulting in not sending my custom header. Specifically the "Tool scope options" cannot be loaded through configuration. Without setting the scanner checkbox in these options, the CPH will not be applied during scanning. I understand this is a third party extension, but perhaps you have seen it working in another scenario. Any help is highly appreciated, I'm kind of stuck.

PortSwigger Agent | Last updated: Apr 09, 2018 08:10AM UTC

Hi Klaas, Good to hear you're making progress. CPH does not save it's config in the project file. However, I have made a fork of the extension for you which does do that. The repository is here: - https://github.com/pajswigger/custom-parameter-handler If you set up the rules you want, "Quick save" will now save into the project file. It will automatically load this on startup. Please have a go with this and let me know how you get on.

Burp User | Last updated: Apr 13, 2018 09:34AM UTC

Hi Paul, I appreciate your efforts to help very much! Unfortuntely I cannot get your adaptation to work. I tried configuring CPH and quick saving. When reloading the project, the configuration is gone. Furthermore, the "Tool Scope" settings on the option tab aren't saved anyway.

Burp User | Last updated: Jul 20, 2018 12:26AM UTC

I have one question. What exactly project file here means? Does it contain pre-captured URLS that we wanted to scan automatically? java.exe -jar -Xmx4g [BURP jar file] --project-file [project] --config file [project settings].json --config-file [user settings].json --unpause-spider-and-scanner http localhost 7000 / Also, after port number what we have to provide?

Burp User | Last updated: Jul 20, 2018 11:52AM UTC

The project file in this example is the .burp file in which the scan configuration is stored, including the previous spider and scan results. Regarding the port number, in my example I was testing the scanner against http://localhost:7000. For a normal scan I assume you would use port 80 or 443 depending on http or https.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.