![]() ![]() Thinking about this more deeply, the one issue you are likely to hit is configuring your scans to authenticate against your target sites (if that is indeed applicable to the sites that you are intending to test). I have included an example of running a scan via the REST API using the interactive service URL below (effectively, this is just using a curl command to initiate the scan so can be run outside of the interactive service URL):ĭetails for an issue are still returned in the JSON format (so what the issue is, description, URL, request and response etc).Įmailing us at is probably a better route than using the forum.Ī lot of those additional settings are optional and Burp will use defaults if nothing else is provided (for example if no scan configuration is specified Burp will use a balanced configuration) so what settings you need to use is going to be fairly dependent upon your approach to scanning. It is designed to be self documenting from the interactive service URL so we do not have any extensive documentation on it but, if you access the service URL you will see the following endpoints available to you (you can configure this within the Suite -> REST API section of Burp): ![]() The REST API is shared between both Burp Professional and Burp Enterprise (it is really considered legacy now because Enterprise now has its own GraphQL API that has far more functionality available to it but it is still available in both products). I think it is fair to say that the kind of functionality that you require is really what we would consider legacy and was in place before our Burp Enterprise product was created and available to users. ![]() There is a native headless mode that can be used from the command line (you could then initiate scans via the REST API) but there is no native functionality to generate HTML/XML vulnerability reports as a result of your scans other than using the UI (you can obtain issues in JSON format via the REST API but this is obviously not quite the same as having a fully fledged HTML report). Realistically, I cannot think of a way to cover what you wish to achieve (you could, of course, take the code from this extension and adapt it yourself but that is not going to be an easy or quick solution). We have had some internal discussions regarding removing older extensions that have not been updated but have come to no firm conclusions (some people still use older versions of Burp so in some cases these extensions are still valid). With regards to what we can do - as noted, we do not write these extensions so the Headless Burp extension is not our software. From the discussions within the 'Issue' section of the GitHub repository, I would imagine that even if you were able to get this running that the extension would not function in the manner that you are expecting. In addition to this (and probably more importantly), if you take a look at some of the issues that have been reported on the author's GitHub - the author confirms that the extension has not been tested with the Burp version that was available in October 2019 so is unlikely to work with current Burp (there were some significant changes made between the older 1.7.x versions and the new 2.x versions of Burp). I would presume the issue lies in the fact that the later versions of Burp require, at a minimum, Java 17 (the later, installable version comes packaged with Java 19) whereas the extension itself is likely to require an earlier version (as the extension has not been updated in several years I would assume later Java versions are simply not compatible).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |