-
Notifications
You must be signed in to change notification settings - Fork 112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot start scan #11
Comments
Give this a shot:
mkdir -p build/libs
mkdir lib &&
cd lib &&
ln -s /Applications/Burp\ Suite\ Professional.app/Contents/java/app/burpsuite_pro.jar burpsuite_pro.jar &&
cd -
./gradlew clean build
cd build/libs
# Run it
java -jar burp-rest-api-1.0.0.jar --headless.mode=true
docker run -d -p 85:80 --name=dvwa citizenstig/dvwa
# Add the target to scope
curl -X PUT --header 'Content-Type: application/json' --header 'Accept: application/json' 'http://localhost:8080/burp/target/scope?url=http://127.0.0.1:85'
# Spider the target
curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' 'http://localhost:8080/burp/spider?baseUrl=http://127.0.0.1:85'
# Scan the target
curl -X POST --header 'Content-Type: application/json' --header 'Accept: */*' 'http://localhost:8080/burp/scanner/scans/active?baseUrl=http://127.0.0.1:85'
# Get Status of Scan
curl -X GET --header 'Accept: application/json' 'http://localhost:8080/burp/scanner/status'
# Create HTML Report
curl -X GET --header 'Accept: application/octet-stream' 'http://localhost:8080/burp/report?urlPrefix=http://127.0.0.1:85&reportType=HTML' -o testReport.html This should give you some results to help you determine if things are working. Keep in mind that for this example you're not logging into the vulnerable web application, so there won't be a ton of vulnerability data. |
I got the same problem on my side:
Then i call the endpoint for adding my url to the scope:
It works fine, my url is indeed in the scope, so i create a scan:
And nothing happen, nothing is scanned, in the UI, i can't see either my scan in progress.
Burp Pro 1.7.19. Any help would be greatly appreciated. Thanks NB: if i run spider, it works fine, only the scanner (the things i would need to be run by jenkins) fail :/ |
Same here... |
As per https://portswigger.net/burp/help/scanner_pointandclick.html, I'm pretty sure you're going to need to spider a site before you can scan it (so that it knows what to scan). Why not have jenkins run the spider and follow that action up with running a scan? You could write a little script that would run the spider, wait until spidering was finished, and then run your scan. Here's a rough idea of what I'm talking about in terms of the middle piece:
You can use something like this to get the response:
|
@l50, and how do I know that spidering has finished? I haven't seen any API endpoint related to that. Thanks for your help! |
There is not an endpoint for that, which is why I provided the python snippet that you could potentially use to determine if spidering has finished. Or you can take the logic and turn it into whatever language meets your needs. That's the beauty of REST API's, right? |
Regarding your code: What should |
Nobody?! |
@dorneanu get_resp() returns response from API call /burp/scanner/scans/active.
|
closing this issue due to inactivity. |
@steve-heslouin |
I had similar issues and fixed with this change #30, FYI. Details of my specific issue in the PR. |
First off, thanks for writing this. I'm looking forward to using it. I am however having some issues. Perhaps it's noob related since this is the first time I'm attempting to get it to work.
I've successfully built it (from master) and am running it.
STEP 1
STEP 2
This results in:
Nothing is actually scanned. Calling the endpoint to retrieve issues or the report yields 0 findings.
I'm not sure what I'm doing wrong here, and trying to diagnose with setting headless=false doesn't actually work. It always runs in headless mode - at least on macOS.
I also tried to /burp/reset but that results in a 500 with a RuntimeException being thrown.
I'm running on Java 8 u111 with burpsuite_pro_v1.7.17.jar
Any pointers greatly appreciated.
The text was updated successfully, but these errors were encountered: