Expose recorded login API to the 'burpa scan' command

[tristanlatr]

It would quite simple to add --recorded-login-label <string> and --recorded-login-script <string or path> that fills the following active scan params:

{
""application_logins":"[
  {
    "label": String,
    "script": String
  }]
}

[ganesh2183]

Hi @tristanlatr , Can we use 'recorded-login-script' command in Burpa. If so how to use, please share the example to use this.

[tristanlatr]

Hi @ganesh2183, this feature is not implemented yet.

Any contributions would be appreciated.

Please have a look at the active_scan method there: https://github.com/tristanlatr/burpa/blob/main/burpa/_burp_commander.py#L78 it's a good starting point to implement this feature.

[ganesh2183]

@tristanlatr i have tried to add recorded login api in burpa command. when i pass recorded script in command, getting "json.decoder.JSONDecodeError: Invalid \escape: line 10 column 77 (char 560)".

Any idea why getting this error, how to fix this.

[tristanlatr]

This error means you are constructing an invalid JSON string in the data variable.

[ganesh2183]

@tristanlatr i tried again, now i m getting as '400 Client Error: Bad Request...' Response: {"type":"ClientError","error":"could not parse recorded login sequence to JSON"}

Any idea what to do, how to fix this??

Can i share the code with my changes.

[tristanlatr]

Yes please open a pull request such that I can see your changes. Thanks.

[ganesh2183]

This error means you are constructing an invalid JSON string in the data variable.

As you said there is issue with constructing the JSON string, the recorded script provided in command prompt/powershell as input for recorded_login_script argument it is not able to parse JSON string as expected by burp tool. It accepts if i replace in recorded script with triple backslash with double quotes from " to parse JSON. For ex: [{\"name\": \"Burp Suite Navigation Recorder\", \"url\": \"https://example.com/login/index.html#/home\", \"isIframe\": false}]

Also I tried using json.dumps() in code, still it is not working.

Can you help to fix the issue.

[tristanlatr]

Hello @ganesh2183,

Please read up on contributing with git to open one pull request with your changes, so I can test it and give a better review, and eventually, merge your work into this project.

Also, by looking at the code you proposed, it looks like you replaced the username/password authentication by the recorded login system. If you want to contribute, the changes should be compatible, so both options should be supported. Regarding the JSON parsing, maybe the script should be read from a file, that would be more simple for parsing the JSON ?

[ganesh2183]

@tristanlatr Do you want me to do pull request again. i will add both authentication method.

I'm very new to python coding. Also can you help me how to add script to read json script file to parse the json. Is it possible to connect ?

[ganesh2183]

@tristanlatr I have open one pull request with both authentication methods. Please have a look and let me know.

Need your help to add script to read json script fill to parse the json.

[ganesh2183]

@tristanlatr Any update on this?