Following my last blog on Automating OWASP ZAP with Jenkins, heres a step-by-step guide to integrate BURP with Jenkins. I’ve kept it very simple, so if some of the steps seem like a no-brainer to you, please ignore it and move along to the subsequent steps.


There are two possible way to integrate burp with Jenkins:

I will show you both ways. The first section explains Installation and configuring Burp with Jenkins using Burp Extender. The second section explains Installation and configuring Burp with Jenkins using Burp Rest API (RobotFramework).

Note: Words in italicised orange refers to the actual words displayed on Jenkins.

We will be  using Linux Distribution (OS: Ubuntu 16.04) , Jython 2.7.x and Python 2.7.x . If you are using Windows Operating System, please refer the official documentation for installing the packages.

Lets get started!

BURP EXTENDER:

Burp Extender lets us extend the functionality of Burp Suite in numerous ways for security automation. There are many Extenders, but for automation, there is only one extender called Carbonator. It is available on BApp store.

This extension provides a command-line interface to automate the process of configuring target scope, spidering and scanning. It will then perform the following actions:

Here are the prerequisites required to run Carbonator:

(The following step-by-step guide will include installing the prerequisites, so don’t worry about it right now. If you already have it, skip the respective step).

STEP 1:  Before linking Burp with Jenkins using the extender, you have to install the prerequisite tools and packages, either in Jenkins master machine or in the slave machine depending on your requirement. In this blog, we will be using Jenkins Master Setup.

Note: Burp Suite should already deployed and configured with a license key on a master machine.

STEP 2: To install Jython in Jenkins master machine, execute the following command in the terminal

wget http://central.maven.org/maven2/org/python/jython-installer/2.7.0/jython-installer-2.7.0.jar && sudo java -jar jython-installer-2.7.0.jar -s -t standard -d /usr/local/jython-2.7.0 && sudo ln -s /usr/local/jython-2.7.0/jython /usr/local/bin/

STEP 3: Downloading Carbonator package: you can download it from this Github link, or use the following terminal commands.

git clone https://github.com/Umar-Farook-we45/carbonator.git && cd carbonator

 

STEP 4:  Edit the Burp default User options config file (i.e user.json) thats inside the carbonator folder. You can do so easily by searching for the following key pair and replacing it with required information.

“extension_file” :  <path to the carbonator.py file>

“location_of_jython_standalone_jar_file”:”/usr/local/jython-2.7.0/jython.jar”

 

STEP 5: Save the changes made in user.json file and run the following command in terminal to check whether carbonator is working fine with Burp Suite.

java -jar -Xmx2g  -Djava.awt.headless=true <path to burp suite Jar file>  {scheme} {fqdn} {port} {path} –user-config-file=<path to user option config file (i.e user.json)>

For example:

java -jar -Xmx2g -Djava.awt.headless=true  burpsuite_pro.jar  http testphp.vulnweb.com 80 / –user-config-file=user.json

Note: By default, Carbonator will generate the report automatically in the file name format mentioned below into HTML and XML report formats. You can modify the report name anytime in carbonator.py file.

IntegrisSecurity_Carbonator_{scheme}_{fqdn}_{port}.html

Example: IntegrisSecurity_Carbonator_http_testphp.vulnweb.com_80


STEP 6:  Login into Jenkins Server and Click New Item and create a new Job as Freestyle Project. Click OK

A6

Note: It doesn’t need to be a Freestyle project. You can use any project type like Pipeline or Multi Pipeline Project in Jenkins depending on your requirement, but make sure that it supports executing command in CLI.


STEP 7:  
Click Save without making any configuration changes for the Job

A7


STEP 8:
Now, click Build Now to create a workspace on the master machine.

A8


STEP 9: Go to Burp Project Configure Page. In my case, it would be under Vulnweb project. Click Configure.


STEP 10:
Select Build  Tab under project configurations | Click Add build step | Select Execute Shell

A10


STEP 11:
Provide the following commands in the master machine command input field under Execute Shell section. It will be executed in a later stage.

#!/bin/sh
#BurpSuite  Automation (Acunetix Vulnweb)
java -jar -Xmx2g -Djava.awt.headless=true  <path to burpsuite_pro.jar> http testphp.vulnweb.com 80 / –user-config-file=user.json
echo “Result Pushed Successfully”

A11


STEP 12:
Under Post-build Actions:

12.1: Click Add Post-Build Action, and select Archive the artifacts. In the input field under the Archive the Artifacts, add the following directories, which should be separated by commas. (You can copy paste it from below as is)

          *.html,*.xml

12.2: click Add Post-Build Action, and select Publish HTML Reports. Then, click Add, and input the directory where the HTML reports are stored. Under the Index page input field, specify the file’s name as used in step 5, use

IntegrisSecurity_Carbonator_{scheme}_{fqdn}_{port}.html

In this blog, we are running scan against acunetix vulnweb, so report will be automatically generated in this name format.

IntegrisSecurity_Carbonator_http_testphp.vulnweb.com_80

A12


STEP 13:
Click on Save and Click Build Now. Once build is completed, you can view the HTML Report on Job Dashboard and other archived files from workspace.

Step 13

That covers the first approach. You can take a break before trying out the next approach.

Burp Rest API with Robot Framework:

Robot Framework is a generic test automation framework for Acceptance Testing and Test-Driven Development (ATDD). It has easy-to-use tabular test data syntax and utilizes the keyword-driven testing approach. Its testing capabilities can be extended by test libraries implemented either with Python or Java. Users can also create new higher-level keywords from existing ones, with the same syntax used for creating test cases.

Prerequisites to automate Burp using Rest API with Robot Framework:

(The following step-by-step guide will include installing the prerequisites, so don’t worry about it right now. If you already have it, skip the respective step)

STEP 1: To begin with, you need to install prerequisites tools and python packages first, either in Jenkins master machine or in the slave machine. In this blog, we will use a Jenkins Master Setup.

Note: Burp Suite should already deployed and configured with a license key on a master machine.

 

STEP 2: Clone or Download the Burp Rest API package (Vmware) from here, or use the following commands on your terminal.

git clone https://github.com/vmware/burp-rest-api
cd burp-rest-api


STEP 3: Follow the instruction mentioned in readme file and generate the burp-rest-api

jar file using gradle build tool.

 

STEP 4: Run and configure the burp-rest-api jar with license Key for the first time initialization.

 

STEP 5:  Once you configured it with license key. Check whether you are able to access Burp Rest API Swagger UI using the address mentioned below.

http://localhost:8090/swagger-ui.html

 

STEP 6: Check if the Burp Rest API endpoints are working, and then stop the burp rest api service.

 

STEP 7:  So far, we’ve created the necessary BURP Rest API jar file. The next step is to install the necessary packages to run the Robot Framework.

To install Python and Pip Package, execute the following commands in your terminal.

sudo apt-get update
sudo apt-get install python
sudo apt-get install python-pip

STEP 8:  To install Robot Framework using pip, execute the command in the terminal.

sudo python -m pip install robotframework==3.0.2

STEP 9:  Now, you need the Robot2Burp package. You can run the following commands to install this package from your terminal.

git clone https://github.com/we45/Robosec.git
cd Robosec/Robot2Burp
sudo  python setup.py install
cd robot2burp

Robot2Burp package contains:

├── Burp_api.py – Burp Rest Api (Python library)

├── reports  – Reports Folder

└── robot2burp.robot – Sample Robot Test Cases

STEP 10: Now, we have all the necessary packages and tools. Next is to link all these with Robot scripts. Edit the robot2burp.robot file thats inside the Robot2Burp folder. Then supply the following values to run burp rest api service under the variable section.

${BURP_API_JAR_FILE}
${SCOPE_URL}
${REPORT_NAME}

Example:

${BURP_API_JAR_FILE}    ./burp-rest-api-1.0.0.jar
${SCOPE_URL}            http://blablabla.com
${REPORT_NAME}          burp_automation_demo

STEP 11: At this point, you’re probably still a little in the dark right now. So, let me explain what this .robot file will do. So far, we’ve got the necessary packages, linked and configured them so that they can automate certain tasks. The .robot file includes all the tasks that you want to automate, which can be modified based on your requirement.

STEP 12: Once you feed the required information in robot2burp.robot file. Execute the following command.

pybot -d reports/   <path to robot2burp.robot>

Note: The pybot tool comes along with a robot framework package. You need to name the reports folder as “reports”.

STEP 13: Once robot test is completed, you will see the burp automation execution report along with the Burp scan reports in the reports directory.  

STEP 14: Next is to create jobs in your Jenkins pipeline for automating Burp. Its the same as the ones used in Step 6 to 10 under Burp Extender approach. Please refer to those steps, and refer back to Step 15.


STEP 15:
Following Step 6-10 from the Burp Extender approach, you should have created the necessary jobs in the Jenkins pipeline. Next is to give commands to run the automation as part of the build. Use the following bash script.

#!/bin/sh
#Burp Suite Automation With Robot Framework
pybot -d reports/ <<the location of your robot2burp.robot file>>

B15

STEP 16: It’s almost done! Just follow the last three steps. Under Post-build Actions:

16.1: Click Add Post-Build Action, and select Archive the artifacts. In the input field under the Archive the Artifacts, add the following directories, which should be separated by commas. (You can copy paste it from below as is)

          reports/*.html,reports/*.xml

   

16.2: click Add Post-Build Action, and select Publish HTML Reports. Then, click Add, and input the directory where the HTML reports are stored. Under the Index page input field, specify the file’s name as mentioned in robot2burp.robot under variable section i.e  ${REPORT_NAME}, In that case, index page would be burp_automation_demo.html


B16

STEP 17: Click on Save and Click Build Now. Once build is completed, you can view the HTML Report on Job Dashboard and other archived files from workspace.

B17

There! Now you know how to automate burp into your Jenkins CI. Go ahead with you rain dance now!

 

OWASP ZAP automation course CTA banner

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.