SimpleAutoBurp

Python script that takes a config.json file as config and uses Burp Suite Pro to scan a list of websites.

This script is a simplification of AutoScanWithBurp, also AutoScanWithBurp uses an extension to execute the scan and Burp state files that were deprecated in 2018.

SimpleAutoBurp uses the new Burp API and Burp project files. Authenticated Burp scans and Nikto are not yet implemented.

Configure

The script needs a config.json with the configuration, here we have an example:

{
    "sites" : [{
        "scanURL" : "https://test-xss.000webhostapp.com",
        "project" : "/home/ec2-user/BurpSuitePro/2021-07-11-Test_1.burp",
        "apikey" : "APIKEY"
      },
      {
        "scanURL" : "http://test-xss.000webhostapp.com",
        "project" : "/home/ec2-user/BurpSuitePro/2021-07-11-Test_1.burp",
        "apikey" : "APIKEY"
      }
    ],
    "burpConfigs" : [{
        "memory" : "2048m",
        "headless" : "true",
        "java" : "/home/ec2-user/BurpSuitePro/jre/bin/java",
        "burpJar" : "/home/ec2-user/BurpSuitePro/burpsuite_pro.jar",
        "retry" : 5,
        "logPath" : "/home/ec2-user/BurpSuitePro/",
        "logfileName" : "SimpleAutoBurp",
        "loglevel" : "debug",
        "ScanOutput" : "/home/ec2-user/ScanOutput/"
      }
      ]
}

Site (the config file can contain multiple sites):
- scanURL: URL to scan.
- project: Path to a Burp project files.
- apikey: Burp API Key. User options - Misc - REST API, enable the service and create a new API Key. More info here.
burpConfigs
- memory: Maximum amount of memory.
- headless: Enable or disable headless mode.
- java: Path to the Java binary.
- burpJar: Path to the Burp Suite JAR file.
- retry: How many times, the script will try to check if burp is up and running.
- logPath: Path of the log file.
- logfileName: Name of the log file.
- loglevel: Log Level (DEBUG INFO WARNING ERROR CRITICAL).
- ScanOutput: Path to results

Execute

SimpleAutoBurp.py /home/ec2-user/config.json

Schedule Scan

This script can be scheduled to execute using crontab in *nix systems like this:

0 2 * * * ec2-user /usr/bin/python3.7 /home/ec2-user/SimpleAutoBurp.py /home/ec2-user/config.json

Output

The script generates a log of the execution and a file with a json that includes information about all the vulnerabilities found. It only shows vulnerabilities detected in this scan and not detected previously.

Recommendations

To improve the results of the scan enable extensions like:

Active Scans++
Software Vulnerability Scanner
Backslash Powered Scanner
Additional Scanner Checks
Error Message Checks

Python script to launch burp scans automatically

Related tags

Overview

SimpleAutoBurp

Configure

Execute

Schedule Scan

Output

Recommendations

Owner

Adan Álvarez

A python package for your Kali Linux distro that find the fastest mirror and configure your apt to use that mirror

Group imports from Windows binaries

ecowater-softner is a Python library for collecting information from Ecowater water softeners.

iOS Snapchat parser for chats and cached files

A small python tool to get relevant values from SRI invoices

Deep Difference and search of any Python object/data.

one_click_kag_server is a program which tries to fully automate the creation of a King Arthur's Gold server.

a demo show how to dump lldb info to ida.

HeadHunter parser

Casefy (/keɪsfaɪ/) is a lightweight Python package to convert the casing of strings

Python lightweight dependency injection library

Auto-generate /etc/hosts for HackTheBox machines

a simple function that randomly generates and applies console text colors

password generator

Macro recording and metaprogramming in Python

Dice Rolling Simulator using Python-random

cssOrganizer - organize a css file by grouping them into categories

A dictionary that can be flattened and re-inflated

Give you a better view of your Docker registry disk usage.

A thing to simplify listening for PG notifications with asyncpg