Can't run scan using headless-burp extension

[IgorSasovets]

Hi, team! I installed Headless Burp extension in BurpSuite Professional and want to automate my web application security assessment process. I managed to start Burp using the extension, run API tests through BurpProxy and save all collected data to the burp project. Problem is that I cannot stop proxy and start scanning from terminal. Could you please help me with this issue?

Command that I use to start Burp:

java -Xmx1G -Djava.awt.headless=true -classpath headless-burp-proxy-master-SNAPSHOT-jar-with-dependencies.jar:burpsuite_pro.jar burp.StartBurp --project-file=web-scan.burp -c config.xml -v

Config file:

<?xml version="1.0" encoding="UTF-8"?>
<config>
  <reportType>JUNIT</reportType>
  <targetSitemap><![CDATA[http://localhost:5000/]]></targetSitemap>
</config>

To stop proxy I used below command:

echo SHUTDOWN >> /dev/tcp/127.0.0.1/8080

BurpSuite version: 2.0.13 beta Extension version: 1.0

[anandsudhir]

Hi @IgorSasovets ,

Are you sure the proxy's shutdown port is 8080? The Proxy shutdown port is 4444 by default, unless overridden.

Could you try one of these documented commands?

echo SHUTDOWN >> /dev/tcp/127.0.0.1/4444
or
echo SHUTDOWN | netcat 127.0.0.1 4444
or
echo SHUTDOWN | ncat 127.0.0.1 4444

[IgorSasovets]

Hi, @anandsudhir ! Thanks for quick response. I tried to override port using -shutdownPort argument but there still are some issues. Here is output of quoted commands: 1.

user@ubuntu:~$ echo SHUTDOWN >> /dev/tcp/127.0.0.1/4444
user@ubuntu:~$ 

2.

user@ubuntu:~$ echo SHUTDOWN | netcat 127.0.0.1 4444
HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=utf-8
Connection: close

400 Bad Requestuser@ubuntu:~$ 

3.

user@ubuntu:~$ echo SHUTDOWN | netcat 127.0.0.1 4444
HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=utf-8
Connection: close

400 Bad Requestuser@ubuntu:~$ 

[anandsudhir]

Could you paste the output you get when you run the burp suite with the proxy extension? java -Xmx1G -Djava.awt.headless=true -classpath headless-burp-proxy-master-SNAPSHOT-jar-with-dependencies.jar:burpsuite_pro.jar burp.StartBurp --project-file=web-scan.burp -v

Also, could you check what ports burp + the extension are listening to? at least netstat -tulpn | grep 4444 I wonder if some other service is already listening to 4444. You could try and override the port to something else and try again.

[anandsudhir]

Use something like --shutdown-port 5555 override the port

[IgorSasovets]

Command output:

netstat -tulpn | grep 4444

You were right, port is already in use. I restarted proxy with custom port (after I reassured that it is unused by another service):

java -Xmx1G -Djava.awt.headless=true -classpath headless-burp-proxy-master-SNAPSHOT-jar-with-dependencies.jar:burpsuite_pro.jar burp.StartBurp --project-file=web-scan.burp -v -shutdownPort 8081

Then again tried to send SHUTDOWN command to port 8081:

1. user@ubuntu:~$ echo SHUTDOWN >> /dev/tcp/127.0.0.1/8081
   bash: connect: Connection refused
   bash: /dev/tcp/127.0.0.1/8081: Connection refused
   user@ubuntu:~$

2. user@ubuntu:~$ echo SHUTDOWN | netcat 127.0.0.1 8081
   user@ubuntu:~$

3. user@ubuntu:~$ echo SHUTDOWN | nc 127.0.0.1 8081
   user@ubuntu:~$

[anandsudhir]

Did that work? If it did, the proxy process must have exited. I cant see if it worked or not from these logs :(

[IgorSasovets]

When used --shutdown-port received Unrecognized command-line argument: --shutdown-port. Nope, proxy still running:

[anandsudhir]

Ok, I see the issue now. The proxy plugin isnt loaded on your classpath and hence the proxy shutdown listener is loaded either. Make sure you have headless-burp-proxy-master-SNAPSHOT-jar-with-dependencies.jar on the classpath (and in the correct location)

[anandsudhir]

If the extension is on the classpath and loaded, you will see something like this below (note logs from the extension)

java -Xmx1G -Djava.awt.headless=true -classpath headless-burp-proxy-master-SNAPSHOT-jar-with-dependencies.jar:burpsuite_pro.jar burp.StartBurp --project-file=web-scan.burp -v

Suite: Environment not supported by embedded browser
Proxy: Proxy service started on 127.0.0.1:8080
Extender: Legacy extension found
Extender: Headless Burp Proxy: Arguments to headless burp: -v
Proxy: Proxy service stopped on 127.0.0.1:8080
Proxy: Proxy service started on 127.0.0.1:4646
Extender: Headless Burp Proxy: Using proxy 127.0.0.1:4646
Extender: Headless Burp Proxy: Headless Burp Proxy fully configured

[IgorSasovets]

@anandsudhir , one more question: how I can check this, in burpsuite_pro.jar (sorry for such question, but I'm not a Java developer)?

[anandsudhir]

Do you have the file headless-burp-proxy-master-SNAPSHOT-jar in the same directory as the burp suite jar? If not, you can follow the documentation on his to build the project and thst so generate the hat for you.

Basically you need to run ./mvnw clean install

[IgorSasovets]

Thanks so much. I'll try to build the project and notify you about the results.

[IgorSasovets]

@anandsudhir , now file located in the same folder as the burp jar, but SHUTDOWN still not works.

[anandsudhir]

You want the proxy jar in the same directory. I see that you have the scanner. Copy the proxy jar too and finally 8 hope it works for you

[IgorSasovets]

I didn't find "proxy.jar". Do I need to install additional plugin through BurpSuite extender or I was looking for wrong file?

[anandsudhir]

The file is named headless-burp-proxy-master-SNAPSHOT-jar and would be under the headless-burp-proxy/target directory after you run mvnw clean install

[IgorSasovets]

I made clean install, reassured that required files are located in the same directory, but after I started burp using plugin it finished unexpectedly. After that I tried to download extension as ".jar" file and BurpSuite crashed completely. Now I cannot even open it. Which version of BurpSuite do you use?

[IgorSasovets]

Also, all installed extensions were unloaded after crash.

[anandsudhir]

Hm, that's very strange. I run this with both 1.x and 2.x versions and it loads just fine.

Here's my suggestion now. Run this without any plugins on the classpath and see what happens.

[anandsudhir]

Btw, i miswrote the jar filename. You need the one that says with-dependencies

[IgorSasovets]

@anandsudhir , I'll try it and provide you the results.

[IgorSasovets]

@anandsudhir , here is files list of the BurpPro folder with burp jar:

When I run command to start burp I receive below:

I unloaded Burp headless extension, but unfortunately it didn't fix the problem. Could you please provide ls command results from your Burp folder? Maybe I copied wrong files.

[IgorSasovets]

After Legacy extension found message it finished unexpectedly

[anandsudhir]

Hmm, crashed after that line? Ok,

What if you just run java -Xmx1G -jar burpsuite_pro.jar? If that doesnt work either, add--use-defaults`

[anandsudhir]

I have these files in my directory

$ ls *burp*
burpsuite_pro_v1.7.37.jar  burpsuite_pro_v2.0.08beta.jar headless-burp-proxy-master-SNAPSHOT-jar-with-dependencies.jar  headless-burp-scanner-master-SNAPSHOT-jar-with-dependencies.jar

[IgorSasovets]

It just started Burp in UI mode after java -Xmx1G -jar burpsuite_pro.jar command

[anandsudhir]

Yes, check if there are some weird extension settings. Also unload old headless burp extensions. Try again with the extension jars. Btw, you could also download these from github releases too

[IgorSasovets]

Now I have problems with shutdown port, provided option not recognized:

[IgorSasovets]

Finally! I fixed issue with shutdown proxy:

java -Xmx1G -Djava.awt.headless=true -classpath headless-burp-proxy-master-SNAPSHOT-jar-with-dependencies.jar:burpsuite_pro.jar burp.StartBurp --project-file=web-scan.burp -v --shutdown-port 8081

But I still have issue with config file. Also, have I can start scan now?

[IgorSasovets]

Fixed scanner start but now have problem with config:

config.xml

<?xml version="1.0" encoding="UTF-8"?>
<config>
  <reportType>JUNIT</reportType>
  <targetSitemap><![CDATA[http://localhost:5000/]]></targetSitemap>
</config>

[anandsudhir]

You are using the wrong switch, Use -c to pass config.xml. See documentation

[IgorSasovets]

I tried, but it doesn't work:

[IgorSasovets]

Finally fixed all issue! Now it works as expected. @anandsudhir , I would add complete example (something similar to step by step guide) for extension usage. I can open PR for it. Because in my case it would be very useful and would save a lot of time.

[anandsudhir]

Nice! Would be awesome if you could make a PR. I am glad it finally works for you now :)

[IgorSasovets]

@anandsudhir , thanks so much for your time, really appreciate it. I will prepare full example of usage and submit a PR. I think that we can close this issue.

[anandsudhir]

Happy to help :) Looking forward to the PR.