Burp Suite Professional has exposed an additional functionality for pen-testers in terms of its API. With the help of the Burp Suite Professional API, a tester can automatically invoke a scan and integrate their findings with other tools as well.
Start Burp Suite and configure the API as follows:
Then, start the API and configure the API key as shown here:
The key would be copied to the clipboard when we click on the button. We can use it as follows:
We can see that the API is listening at port 1337. We use the API key to refer to this endpoint address. The API exposes three endpoints: to get issue definitions, to start a scan, and to get the status of a running scan.
Let's see the parameters that are expected for us to start a new scan to test the Damn Vulnerable Web Application.
The application can be installed from the following URLs:
Once installed and set up, we can use the following curl command in order to start an active scan with Burp on the website:
curl -vgw "
" -X POST 'http://127.0.0.1:1337/<API KEY>/v0.1/scan' -d '{"application_logins":[{"password":"password","username":"admin"}],"name":"My first project","scan_configurations":[{"name":"Crawl strategy - fastest","type":"NamedConfiguration"}],"scope":{"exclude":[{"rule":"http://192.168.250.1/dvwa/logout.php","type":"SimpleScopeDef"}],"include":[{"rule":"http://192.168.250.1/dvwa","type":"SimpleScopeDef"}]},"urls":["http://192.168.250.1/dvwa/login.php"]}'
A more generic request containing a more exhaustive test for crawling and auditing would look as follows:
curl -vgw "
" -X POST 'http://127.0.0.1:1337/<API KEY>/v0.1/scan' -d '{"application_logins":[{"password":"password","username":"admin"}],"scope":{"exclude":[{"rule":"http://192.168.250.1/dvwa/logout.php","type":"SimpleScopeDef"}],"include":[{"rule":"http://192.168.250.1/dvwa/","type":"SimpleScopeDef"}]},"urls":["http://192.168.250.1/dvwa/"]}'
It should be noted that the preceding request can either be sent via the Terminal on Ubuntu or the web interface provided by Burp API can be used to generate the request. It should be noted that if the request is invoked in the manner shown previously, it will not return us anything, but would instead create a new scan with a task ID.
This can be seen at the Burp Suite console as shown here:
In the previous screenshot, we can see that a new task with the ID as 9 has been created and it is scanning our Damn Vulnerable Web Application, which is hosted locally. When the screenshot was captured, the task was able to identify four high, ten medium, and three low issues. In the following section, we can see how to make the scanner constantly tell us the status of the scan. In order for it to do so, we need to set up a call back URL. In other words, we need to have a listening port where the scanner will constantly send results. We can print this on the console as follows:
curl -vgw " " -X POST 'http://127.0.0.1:1337/Sm2fbfwrTQVqwH3VERLKIuXkiVbAwJgm/v0.1/scan' -d '{"application_logins":[{"password":"password","username":"admin"}],"scan_callback":{"url":"http://127.0.0.1:8000"},"scope":{"exclude":[{"rule":"http://192.168.250.1/dvwa/logout.php","type":"SimpleScopeDef"}],"include":[{"rule":"http://192.168.250.1/dvwa/","type":"SimpleScopeDef"}]},"urls":["http://192.168.250.1/dvwa/"]}'
The status of the scan and all the findings will be sent back to the address indicated:
Given that we now have an understanding of how to automate a scan with Burp Suite API, let's make a Python script to do this. We will create a Python script to invoke the scan and at the same time the same script will listen to callback requests and parse the responses to display all the high, medium, and low issues.