Burp Suite Professional (Burp) is one of the best tools available for penetration testers. It is feature-rich, intuitive, well-supported, and customizable. However, it can be difficult to use Burp for headless, unattended scanning. Alternatives such as Burp Suite Enterprise exist, but those of us with Burp Suite Professional may want to leverage it to perform this type of work. For years, my tool of choice for this has been the Burp extension Carbonator. Available in the BApp Store, Carbonator provides a means to interact with Burp via the command line, scanning a target and exporting the results as HTML. It is a great extension that has worked well, until the release of Burp 2.0.
Burp 2.0 is a significant upgrade from 1.0 and includes many useful new features, such as the ability to create multiple scanning configurations. In Burp 1.0, all active scans used the same configuration. In Burp 2.0 you can have concurrently running scans, each having its own configuration. When PortSwigger released Burp 2.0, the Burp Extender API was not updated to support some of the new features including the ability to specify a configuration for a new scan. When new scans are initiated via the extender API, they use a very limited default configuration.
Default Burp Scan Configuration
We would like to use the extender API to start a scan and specify a configuration. More specifically, we would like to traverse a list of targets and do the following:
- Start Burp in headless mode
- Scan a target
- Export scan reports in HTML and XML
- Save the Burp project file
- Exit Burp
- Next target
We cannot use the extender API in its current form to do this. However, another feature of Burp 2.0 is the Burp REST API. Currently, the REST API has limited functionality, but it is useful for solving this problem. Specifically, the REST API provides a means for us to start scans, specify a scan configuration profile to use, and check the scans status. We can combine the extender API, the REST API, and some Bash scripting to achieve our goal of headless, unattended scanning in Burp 2.0.
The workflow might look something like this:
This begs the question, “What is Seltzer?” Seltzer is a Burp Suite extension and accompanying Bash shell script that allows a user to scan a list of targets using Burp 2.0. It leverages the Burp REST API to allow for using named scan configurations, Burp project and user options files, and it runs in headless mode by default. The project is available via git here.
It is important to note that the Burp REST API should be properly configured prior to using Seltzer. For example, the API typically should not be exposed to the public internet. Seltzer supports the use of Burp REST API keys as an additional level of security if users want to further restrict access to the API.
Though I have only scratched the surface of what’s possible, Seltzer has been a fun project to work on. Additional features that I hope to implement at some point include alerting, monitoring, and integration with other services such as Amazon S3, Microsoft OneDrive, and Google Cloud Storage.