![]() ![]() The Jenkins job kicks off Burp Suite and actively scans any host it found in its proxy history. I've put all of this together in Jenkins. Println "No sites found in proxy history. println address.toURL().text def foo = "foobar" File file = new File( ""+item+ ".html") Println "Saving HTML report for target: " + itemĭef address = url + "/burp/report?reportType=HTML" def data = new URL(address).getText() Println 'Scan on target '+ item + ' finished' Check if proxy history is empty if (!sites.isEmpty()) " Import static .TEXTĭef url = '' // get proxy history and save unique to param sites def path = '/burp/proxy/history' module='http-builder', version='0.7' ) import After the active scan finishes the HTML report will be saved locally. ![]() In this example I've used BWAPP as the target application. Finally the power of Burp Suite can be harnessed through the use of scripts and therefore be automated.īelow I wrote a small POC which does an active scan on sites that are found in the proxy history of Burp. ![]() The most important features one would require are available and ready for use. The features they do offer however are well documented and easy to implement. In a follow-up blog I will write on how to add new features to the existing API. My goal was to create an implementation similar to the illustration below:Īt first glance the features it offers seems a bit disappointing, but we have to keep in mind that this project was only released recently. I started to play around with the different endpoints and tried to see if I could create a similar implementation of automated security tests as in my previous blogs about security automation. Interested as I was, I immediately had a look at it and installed it locally. I was already familiar with Burp Suite due to my experience as a penetration tester so I was excited to see if I could use it to automate Burp. Burp REST APIīut I am always on the lookout for new tools that can aid me in automation, and recently I found out that VMware has released a REST/JSON API endpoint to access the features of Burp Suite. You can read more about this set-up in my previous blogs ZAP automation part 1 and ZAP automation part 2. This combination of Selenium tests with ZAP has proven itself to be a solid success in many cases. The process of automating security tests mainly consists of functional tests (in Selenium) being fed to the proxy of ZAP and afterwards performing an active scan on the proxy history. The following link provides general information about configuring your browser for use with Burp Suite.I am a big fan of automating security tests and lately I have been doing so a lot with the incredible REST API of OWASP ZAP. Now you can run tests on both servers and compare results. As with the open proxy, Burp will populate Destination host with a wildcard symbol if you leave the field blank. This time you are taken to an Upstream proxy rule screen in Edit mode.Įdit the rules as needed. If you wish to edit the rules for this additional server, you can return to the Upstream Proxy Servers section of the User options tab, and click the Edit button. Now add another ProxyMesh server, for example, us-wa. The Add upstream proxy rule screen reappears. If you leave the Destination host field blank, then, after your other input has been stored, Burp will populate this field with a wildcard symbol (*), indicating that that all destinations are using the proxy (see illustration below).īack on the Upstream Proxy Servers section of the User options tab, click Add again. If no rule matches, Burp defaults to direct, non-proxied connections. Rules are applied in sequence, and the system will use the first rule that matches the destination web server. ![]() You can define multiple rules, specifying different proxy settings for different destination hosts, or groups of hosts. Input the fields as needed for your use cases. On this screen, enter the name of a ProxyMesh proxy, for example, the Open Proxy.īurp's upstream proxy settings control whether Burp will send outgoing requests to an upstream proxy server, or directly to the destination web server. This takes you to a screen titled Add upstream proxy rule. In the Upstream Proxy Servers section of the tab, click the Add button. On the User options tab, in the Upstream Proxy Servers section, click the Add button. User Options Tabįrom the Burp dashboard, select the User Options tab to Input the proxy settings you'll need to use Burp in ProxyMesh. This will enable you to run tests, send requests, and easily track IPs in rotation. The video features methods for Linux: Suite Configuring for ProxyMeshīelow are proxy settings needed to use Burp with ProxyMesh. Here is a link to a general description of Burp Suite and a video with steps to install and configure the tool. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |