Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot start scan #11

Closed
stevespringett opened this issue Feb 24, 2017 · 12 comments
Closed

Cannot start scan #11

stevespringett opened this issue Feb 24, 2017 · 12 comments

Comments

@stevespringett
Copy link

First off, thanks for writing this. I'm looking forward to using it. I am however having some issues. Perhaps it's noob related since this is the first time I'm attempting to get it to work.

I've successfully built it (from master) and am running it.

STEP 1

  • Add URL to scope
  • PUT /burp/target/scope?url=http:%2F%2Fmyurl.com%2F
  • STATUS: 200

STEP 2

  • Start active scan
  • POST /burp/scanner/scans/active?baseUrl=http:%2F%2Fmyurl.com%2F
  • STATUS: 200

This results in:

2017-02-23 23:52:53.826  INFO 26615 --- [nio-8090-exec-5] c.v.burp.extension.web.BurpController    : Is http://myurl.com/ in Scope: true
2017-02-23 23:52:53.831  INFO 26615 --- [nio-8090-exec-5] c.v.burp.extension.service.BurpService   : Total SiteMap size: 325
2017-02-23 23:52:53.831  INFO 26615 --- [nio-8090-exec-5] c.v.burp.extension.service.BurpService   : Is http://myurl.com/ in Scope: true
2017-02-23 23:52:53.833  INFO 26615 --- [nio-8090-exec-5] c.v.burp.extension.service.BurpService   : Number of URLs submitting for Active Scan: 220
2017-02-23 23:53:12.970  INFO 26615 --- [nio-8090-exec-6] c.v.burp.extension.service.BurpService   : Getting percentage complete.
2017-02-23 23:53:12.970  INFO 26615 --- [nio-8090-exec-6] c.v.b.e.domain.internal.ScanQueueMap     : Scan Queue is empty. Returning the Percent Complete as 100%.

Nothing is actually scanned. Calling the endpoint to retrieve issues or the report yields 0 findings.

I'm not sure what I'm doing wrong here, and trying to diagnose with setting headless=false doesn't actually work. It always runs in headless mode - at least on macOS.

I also tried to /burp/reset but that results in a 500 with a RuntimeException being thrown.

I'm running on Java 8 u111 with burpsuite_pro_v1.7.17.jar

Any pointers greatly appreciated.

@l50
Copy link

l50 commented Mar 3, 2017

Give this a shot:

  1. Build the jar (these instructions are for OSX, see issue 8 for more details) and run the service:
mkdir -p build/libs

mkdir lib &&
    cd lib &&
    ln -s /Applications/Burp\ Suite\ Professional.app/Contents/java/app/burpsuite_pro.jar burpsuite_pro.jar &&
    cd -

./gradlew clean build

cd build/libs

# Run it
java -jar burp-rest-api-1.0.0.jar --headless.mode=true
  1. Set up dvwa. If you use docker, here's a one-liner to get you started:
docker run -d -p 85:80 --name=dvwa citizenstig/dvwa
  1. Run burp against dvwa using the API:
# Add the target to scope
curl -X PUT --header 'Content-Type: application/json' --header 'Accept: application/json' 'http://localhost:8080/burp/target/scope?url=http://127.0.0.1:85'

# Spider the target
curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' 'http://localhost:8080/burp/spider?baseUrl=http://127.0.0.1:85'

# Scan the target
curl -X POST --header 'Content-Type: application/json' --header 'Accept: */*' 'http://localhost:8080/burp/scanner/scans/active?baseUrl=http://127.0.0.1:85'

# Get Status of Scan
curl -X GET --header 'Accept: application/json' 'http://localhost:8080/burp/scanner/status'

# Create HTML Report
curl -X GET --header 'Accept: application/octet-stream' 'http://localhost:8080/burp/report?urlPrefix=http://127.0.0.1:85&reportType=HTML' -o testReport.html

This should give you some results to help you determine if things are working. Keep in mind that for this example you're not logging into the vulnerable web application, so there won't be a ton of vulnerability data.

@krab-skunk
Copy link

krab-skunk commented Mar 14, 2017

I got the same problem on my side:

mkdir -p build/libs

mkdir lib &&
    cd lib &&
    ln -s /Applications/Burp\ Suite\ Professional.app/Contents/java/app/burpsuite_pro.jar burpsuite_pro.jar &&
    cd -

./gradlew clean build

cd build/libs

# Run it
java -jar burp-rest-api-1.0.0.jar --headless.mode=false

Then i call the endpoint for adding my url to the scope:

curl -X PUT --header 'Content-Type: application/json' --header 'Accept: application/json' 'http://localhost:8090/burp/target/scope?url=https://xxxxxxxxx.com/adexchange'

It works fine, my url is indeed in the scope, so i create a scan:

curl -X POST --header 'Content-Type: application/json' --header 'Accept: */*' 'http://localhost:8090/burp/scanner/scans/active?baseUrl=https://xxxxxxxxxxx/adexchange'

And nothing happen, nothing is scanned, in the UI, i can't see either my scan in progress.

2017-03-14 10:48:11.654  INFO 38489 --- [nio-8090-exec-5] c.v.burp.extension.service.BurpService   : Getting percentage complete.
2017-03-14 10:48:11.654  INFO 38489 --- [nio-8090-exec-5] c.v.b.e.domain.internal.ScanQueueMap     : Scan Queue is empty. Returning the Percent Complete as 100%.

Burp Pro 1.7.19.
OSX 10.12.3

Any help would be greatly appreciated.

Thanks

NB: if i run spider, it works fine, only the scanner (the things i would need to be run by jenkins) fail :/

@dorneanu
Copy link

dorneanu commented May 4, 2017

Same here...

@l50
Copy link

l50 commented May 4, 2017

As per https://portswigger.net/burp/help/scanner_pointandclick.html, I'm pretty sure you're going to need to spider a site before you can scan it (so that it knows what to scan). Why not have jenkins run the spider and follow that action up with running a scan? You could write a little script that would run the spider, wait until spidering was finished, and then run your scan. Here's a rough idea of what I'm talking about in terms of the middle piece:

def wait_until_finished_spidering(self):
         finished_spidering = False
         while not finished_spidering:
             prev_resp = get_resp()
             time.sleep(5)
             resp = get_resp()
             # Responses haven't changed, we're ready to scan and have finished crawling the site
             if len(prev_resp.content) == len(resp.content):
                 return

You can use something like this to get the response:

resp = requests.post("%s:%s/burp/scanner/scans/active?baseUrl=%s://%s%s%s" % (
                 api_host, api_port, service, target, port, uri))

@dorneanu
Copy link

dorneanu commented May 4, 2017

@l50, and how do I know that spidering has finished? I haven't seen any API endpoint related to that. Thanks for your help!

@l50
Copy link

l50 commented May 4, 2017

There is not an endpoint for that, which is why I provided the python snippet that you could potentially use to determine if spidering has finished. Or you can take the logic and turn it into whatever language meets your needs. That's the beauty of REST API's, right?

@dorneanu
Copy link

dorneanu commented May 4, 2017

Regarding your code: What should get_resp() do? Get a response from what ?

@dorneanu
Copy link

dorneanu commented May 9, 2017

Nobody?!

@vkalal
Copy link

vkalal commented May 10, 2017

@dorneanu get_resp() returns response from API call /burp/scanner/scans/active.
This is how i am using these APIs.

  1. check_burp_sitemap() : /burp/target/sitemap
  2. add_site_to_scope() : /burp/target/scope
  3. start_active_scan() : /burp/scanner/scans/active
  4. poll_scan_status() : /burp/scanner/status
  5. get_burp_scan_html_report() : /burp/report?reportType=HTML

@vkalal
Copy link

vkalal commented Jun 2, 2017

closing this issue due to inactivity.

@rohandora
Copy link

rohandora commented Oct 7, 2017

@steve-heslouin
@stevespringett
Hello guys,thanks for posting out your issues,i have not yet automated scans,however was curious to know,was this issue fixed?,as it would probably be a good reference point for many people including myself,for solving,if this issue appears.
Thanks

@jamesrthomas1984
Copy link
Contributor

I had similar issues and fixed with this change #30, FYI. Details of my specific issue in the PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants