Bootstrap Targets in BurpSuite

BurpSuite is by far, my favorite web application proxy. There is a limitation that I have found a unique way around, so I figured I would share it with everyone. BurpSuite does not have an easy way to import a list of targets when starting a web application assessment. Obviously, you can browse to the web applications using a browser, but this is time consuming. So we need a better way.

All that is needed is a method to make requests that pass through the proxy. So we can use LWP::UserAgent. Nmap is always helpful for finding open ports, so we can use that to speed things up as well. Nmap will find all of the web applications and then we can leverage Perl to populate BurpSuite’s target list.

First, we perform an nmap scan:sudo nmap -p 80,443 -sS -oX nmap-web.xml -PN

Now, we parse the output of the nmap scan and generate files that contain the web servers running on port 80/tcp and 443/tcp. I have written a Perl script to parse nmap XML files. This script can be found here. Using this script we simply execute:
perl nmap-parse.pl -f nmap-web.xml -p 80 > 80-tcp.txt
perl nmap-parse.pl -f nmap-web.xml -p 443 > 443-tcp.txt

Now, we just need to import each file and perform a request for each web application. The key is that we have BurpSuite listening locally, so that all of the requests will pass through the proxy. The script is called proxycrawl and it will populate the target list because it makes requests through the proxy. It can be found here.
perl proxycrawl.pl -i 80-tcp.txt
perl proxycrawl.pl -i 443-tcp.txt --ssl

After running this script, you should see all of the targets populated in BurpSuite and you are ready be begin your web application assessment.

Regards,
Jabra

Advertisements

5 Responses to Bootstrap Targets in BurpSuite

  1. jcran says:

    another way to handle the second aspect of this (after you have the :80 / :443 targets) is to run a bash script that opens firefox (pre-conf’d for the proxy) for each of the targets:

    for target in `cat 80-tcp.txt`; do firefox $target; done

    good post 🙂

    jcran

    • Jabra says:

      Very true. My only objection is that when you have a large number of web applications and want to find those that are dynamic, than using firefox is a memory killer.

      • jason says:

        agreed, firefox is no good for a large (nor small) number of sites. i’d suggest setting the http_proxy environment variable to your burp proxy and using ‘wget’ instead.

        however, using that method wouldn’t have resulted in a fun perl project, so I think you did the right thing =)

      • Jabra says:

        Yea, Perl is much more fun than wget! Another benefit is that we don’t need to list wget as a tool used during the assessment. hehe.

  2. pentest says:

    And maybe we can additionally use hostmap to find more vhost.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: