Closed Dr4s1l closed 3 years ago
@Dr4s1l No, all the executors work on demand. But what you can do is run the executor from faraday-cli, in that what you could make an automated process.
The other option is to make a script to fetch the data from burp, convert it to xml (this is what the executor does) and then process it with faraday-cli
Thanks, documentation on faraday-cli integration with agent somewhere ?
Getting errors when providing multiple named scan, from what I understand they are stored in array :
while read url;do echo '{"NAMED_CONFIGURATION":"crawl1","NAMED_CONFIGURATION":"audit1","TARGET_URL": "'"$url"'"}' | faraday-cli agent run -a 2 -e Burp --stdin;done <delta_tango.txt
this look like it work but getting unknown error from logs, and looks like the 2 named config does not load, only one of them is read :
2021-09-05 19:42:38,553 - faraday_agent_dispatcher - INFO {MainThread} [dispatcher.py:256 - run_once()] Parsing data: {"execution_id": 7396, "agent_id": 2, "workspace": "seed", "action": "RUN", "executor": "Burp", "args": {"NAMED_CONFIGURATION": "audit1", "TARGET_URL": "http://example.com"}}
2021-09-05 19:42:38,553 - faraday_agent_dispatcher - INFO {MainThread} [metadata_utils.py:59 - check_commands()] Dependency check ended. Ready to go
2021-09-05 19:42:38,553 - faraday_agent_dispatcher - INFO {MainThread} [dispatcher.py:415 - run_once()] Running Burp executor
2021-09-05 19:42:39,742 - faraday_agent_dispatcher - INFO {MainThread} [executor_helper.py:148 - end_f()] Data sent to bulk create
2021-09-05 19:42:39,742 - faraday_agent_dispatcher - WARNING {MainThread} [dispatcher.py:471 - run_once()] Executor Burp finished with exit code 1
is there any way to provide more threads ? Need ~130k requests
@Dr4s1l you can do as many executions you like, faraday-dispatcher works in async mode. each call to the burp executor receives one NAMED_CONFIGURATION and TARGET_URL
Would it be possible to add a parameter to add multiple named config? Plus can you provide a way to use burp without api key? I think the error on burp executor is related to this. Have patch code to allow more threads as the executor is very slow.
Looks like this executor does not work, no more information could be supplied as the exit code 1 is returned by BurpSuite.
Making requests by hand works far better, how to create new vulnerability using faraday-cli ?
Ok, I just realize that configurations can be a list. I will raise this issue. But related to the threads, you dont need it. You can call as many executions as you want, they will run in parallel.
can you run the dispatcher in --debug to try to find the error.
Debug mode also available with faraday-cli ?:
while read url;do echo '{"NAMED_CONFIGURATION":"audit1","TARGET_URL": "'"$url"'"}' | faraday-cli agent run -a 1 -e Init --stdin;done <delta_tango.txt
this work well :
while read url; do http --timeout=2400 --verbose --ignore-stdin POST http://127.0.0.1:1337/v0.1/scan scan_configuration:='{"name":"audit1","type":"NamedConfiguration"}' urls:='["'"$url"'"]';done<delta_tango.txt
No, in the dispatcher.
Cli is only the one who triggers it, but you have to put the dispatcher un debug
faraday-dispatcher run --debug
ok that was related to remaining occurence of BURP_KEY while patching. this check looks like not working :
if not BURP_API_KEY:
log("BURP_API_KEY not provided")
sys.exit(1)
I'm removing all accurence of API key as they are not needed by me.
2021-09-07 15:32:22,804 - faraday_agent_dispatcher - INFO {MainThread} [dispatcher.py:256 - run_once()] Parsing data: {"execution_id": 231, "agent_id": 2, "workspace": "seed", "action": "RUN", "executor": "Burp", "args": {"NAMED_CONFIGURATION": "audit1", "TARGET_URL": "http://example.com"}}
2021-09-07 15:32:22,804 - faraday_agent_dispatcher - INFO {MainThread} [metadata_utils.py:59 - check_commands()] Dependency check ended. Ready to go
2021-09-07 15:32:22,804 - faraday_agent_dispatcher - INFO {MainThread} [dispatcher.py:415 - run_once()] Running Burp executor
2021-09-07 15:32:22,922 - faraday_agent_dispatcher - DEBUG {MainThread} [executor_helper.py:171 - log()] Error line: 2021-09-07 13:32:22.922315 - BURP: API gets no response. Status code: 404
Don't know why getting 404 here, a manual task return a OK result :
{
"task_id": "841",
"scan_status": "crawling",
"scan_metrics": {
"crawl_requests_made": 0,
"crawl_network_errors": 0,
"crawl_unique_locations_visited": 0,
"crawl_requests_queued": 0,
"audit_queue_items_completed": 0,
"audit_queue_items_waiting": 0,
"audit_requests_made": 0,
"audit_network_errors": 0,
"issue_events": 0,
"crawl_and_audit_caption": "Unauthenticated crawl. Estimating time remaining...",
"crawl_and_audit_progress": 0
},
"message": "",
"issue_events": []
}
Is there any way to use the executor to fetch already existing issue from a scan ? Don't want to provide only 1 target at a time and prefer to feed target from CLI. So I have succeeded into creating a new scan,is the dispatcher able to fetch results? Burp plugin here