Headless, Unattended Scanning in Burp Suite Professional 2.0 with Seltzer

Gabriel Merritt, Senior Security Consultant, Coalfire Labs

Burp Suite Professional (Burp) is one of the best tools available for penetration testers. It is feature-rich, intuitive, well-supported, and customizable. However, it can be difficult to use Burp for headless, unattended scanning. Alternatives such as Burp Suite Enterprise exist, but those of us with Burp Suite Professional may want to leverage it to perform this type of work. For years, my tool of choice for this has been the Burp extension Carbonator. Available in the BApp Store, Carbonator provides a means to interact with Burp via the command line, scanning a target and exporting the results as HTML. It is a great extension that has worked well, until the release of Burp 2.0.

Burp 2.0 is a significant upgrade from 1.0 and includes many useful new features, such as the ability to create multiple scanning configurations. In Burp 1.0, all active scans used the same configuration. In Burp 2.0 you can have concurrently running scans, each having its own configuration. When PortSwigger released Burp 2.0, the Burp Extender API was not updated to support some of the new features including the ability to specify a configuration for a new scan. When new scans are initiated via the extender API, they use a very limited default configuration.

Default Burp Scan Configuration

Default Burp Scan Configuration

We would like to use the extender API to start a scan and specify a configuration. More specifically, we would like to traverse a list of targets and do the following:

  • Start Burp in headless mode
  • Scan a target
  • Export scan reports in HTML and XML
  • Save the Burp project file
  • Exit Burp
  • Next target

We cannot use the extender API in its current form to do this. However, another feature of Burp 2.0 is the Burp REST API. Currently, the REST API has limited functionality, but it is useful for solving this problem. Specifically, the REST API provides a means for us to start scans, specify a scan configuration profile to use, and check the scans status. We can combine the extender API, the REST API, and some Bash scripting to achieve our goal of headless, unattended scanning in Burp 2.0.

The workflow might look something like this:

Seltzer Workflow

Seltzer Workflow

This begs the question, “What is Seltzer?” Seltzer is a Burp Suite extension and accompanying Bash shell script that allows a user to scan a list of targets using Burp 2.0. It leverages the Burp REST API to allow for using named scan configurations, Burp project and user options files, and it runs in headless mode by default. The project is available via git here.

Seltzer Scans

Seltzer Scans

It is important to note that the Burp REST API should be properly configured prior to using Seltzer. For example, the API typically should not be exposed to the public internet. Seltzer supports the use of Burp REST API keys as an additional level of security if users want to further restrict access to the API.

Though I have only scratched the surface of what’s possible, Seltzer has been a fun project to work on. Additional features that I hope to implement at some point include alerting, monitoring, and integration with other services such as Amazon S3, Microsoft OneDrive, and Google Cloud Storage.

Gabriel Merritt


Gabriel Merritt — Senior Security Consultant, Coalfire Labs

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS