Skip to content

Burp Executor

This integration with Burp Suite scans into the Faraday Agent Dispatcher framework. It automates the process of launching scans, monitoring their status, retrieving results, and parsing them for further processing.

Overview

  • Purpose:
    Automate Burp Suite scans and process their results for use in Faraday.
  • Usage:
    The executor is intended to be run as part of the Faraday Agent Dispatcher, but can also be executed standalone if the required environment variables are set.

Environment Variables

Relies on the following environment variables: 

- `BURP_HOST`: URL of the Burp API endpoint (e.g., `http://localhost:1337`).
- `BURP_API_KEY`: API key for authenticating with Burp.
- `EXECUTOR_CONFIG_TARGET_URL`: JSON array of target URLs to scan.
- `EXECUTOR_CONFIG_NAMED_CONFIGURATION`: (Optional) Named configuration for the scan.
- `BURP_API_PULL_INTERVAL`: (Optional) Interval (in seconds) between scan status checks. Default: 30.
- `AGENT_CONFIG_IGNORE_INFO`: (Optional) Ignore informational findings. Default: `False`.
- `AGENT_CONFIG_RESOLVE_HOSTNAME`: (Optional) Resolve hostnames. Default: `True`.
- `AGENT_CONFIG_VULN_TAG`, `AGENT_CONFIG_SERVICE_TAG`, `AGENT_CONFIG_HOSTNAME_TAG`: (Optional) Comma-separated tags for vulnerabilities, services, and hosts.

Main Steps

  1. Configuration Burp:

Setting up REST API

  • Active / Running service
  • Create new API Key (Copy)
  • Set Service URL

  1. Configuration Faraday-Agent:
    Faraday Agents

    • BURP_HOST (Burp Service URL)
    • BURP_API_KEY (Burp Api Key)

  2. Target Preparation:
    Parses the list of target URLs and prepares the scan scope.

    • In UI add target or target list.

  3. Scan Launch:
    Initiates a scan using the Burp API with the specified configuration and scope.

  4. Scan Monitoring:
    Periodically checks the scan status until completion.

  5. Result Processing:

  6. Retrieves scan issues from Burp.
  7. Generates an XML report.
  8. Parses the report using the Faraday Burp plugin.
  9. Outputs the results in JSON format.
export BURP_HOST="http://localhost:1337"
export BURP_API_KEY="your-api-key"
export EXECUTOR_CONFIG_TARGET_URL='["http://example.com"]'
python burp.py

Dependencies

  • Python 3.x
  • requests
  • faraday_plugins (specifically the Burp plugin)