Team we45
May 23, 2018

Automating Burp With Jenkins

Following my last blog on Automating OWASP ZAP with Jenkins, heres a step-by-step guide to integrate BURP with Jenkins. I've kept it very simple, so if some of the steps seem like a no-brainer to you, please ignore it and move along to the subsequent steps.There are two possible way to integrate burp with Jenkins:

  • Burp Extender
  • Burp Rest API with Robot Framework

I will show you both ways. The first section explains Installation and configuring Burp with Jenkins using Burp Extender. The second section explains Installation and configuring Burp with Jenkins using Burp Rest API (RobotFramework).

Note: Words in italicised orange refers to the actual words displayed on Jenkins.

We will be  using Linux Distribution (OS: Ubuntu 16.04) , Jython 2.7.x and Python 2.7.x . If you are using Windows Operating System, please refer the official documentation for installing the packages.Lets get started!

BURP EXTENDER:

Burp Extender lets us extend the functionality of Burp Suite in numerous ways for security automation. There are many Extenders, but for automation, there is only one extender called Carbonator. It is available on BApp store.This extension provides a command-line interface to automate the process of configuring target scope, spidering and scanning. It will then perform the following actions:

  • Add the specified target to Burp's target scope, if needed.
  • Spider the target.
  • Actively scan the target.
  • Generate a scan report in HTML format.
  • Shut down Burp.
  • Support headless mode

Here are the prerequisites required to run Carbonator:

  • Windows/Linux OS
  • Jython 2.7.x
  • Carbonator python packages
  • Burp Suite Pro with license installed
  • Burp user options file

(The following step-by-step guide will include installing the prerequisites, so don’t worry about it right now. If you already have it, skip the respective step).STEP 1:  Before linking Burp with Jenkins using the extender, you have to install the prerequisite tools and packages, either in Jenkins master machine or in the slave machine depending on your requirement. In this blog, we will be using Jenkins Master Setup.

Note: Burp Suite should already deployed and configured with a license key on a master machine.

STEP 2: To install Jython in Jenkins master machine, execute the following command in the terminal

wget http://central.maven.org/maven2/org/python/jython-installer/2.7.0/jython-installer-2.7.0.jar && sudo java -jar jython-installer-2.7.0.jar -s -t standard -d /usr/local/jython-2.7.0 && sudo ln -s /usr/local/jython-2.7.0/jython /usr/local/bin/

STEP 3: Downloading Carbonator package: you can download it from this Github link, or use the following terminal commands.

git clone https://github.com/Umar-Farook-we45/carbonator.git && cd carbonator

STEP 4:  Edit the Burp default User options config file (i.e user.json) thats inside the carbonator folder. You can do so easily by searching for the following key pair and replacing it with required information.

“extension_file” :  <path to the carbonator.py file>

"location_of_jython_standalone_jar_file":"/usr/local/jython-2.7.0/jython.jar"

STEP 5: Save the changes made in user.json file and run the following command in terminal to check whether carbonator is working fine with Burp Suite.

java -jar -Xmx2g  -Djava.awt.headless=true <path to burp suite Jar file>  {scheme} {fqdn} {port} {path} --user-config-file=<path to user option config file (i.e user.json)>

For example:

java -jar -Xmx2g -Djava.awt.headless=true  burpsuite_pro.jar  http testphp.vulnweb.com 80 / --user-config-file=user.json

Note: By default, Carbonator will generate the report automatically in the file name format mentioned below into HTML and XML report formats. You can modify the report name anytime in carbonator.py file.

IntegrisSecurity_Carbonator_{scheme}_{fqdn}_{port}.html

Example: IntegrisSecurity_Carbonator_http_testphp.vulnweb.com_80

STEP 6:  Login into Jenkins Server and Click New Item and create a new Job as Freestyle Project. Click OK

A6

Note: It doesn’t need to be a Freestyle project. You can use any project type like Pipeline or Multi Pipeline Project in Jenkins depending on your requirement, but make sure that it supports executing command in CLI.STEP 7:  Click Save without making any configuration changes for the Job

A7

STEP 8:Now, click Build Now to create a workspace on the master machine.

A8

STEP 9: Go to Burp Project Configure Page. In my case, it would be under Vulnweb project. Click Configure.STEP 10: Select Build Tab under project configurations | Click Add build step | Select Execute Shell

A10

STEP 11: Provide the following commands in the master machine command input field under Execute Shell section. It will be executed in a later stage.

#!/bin/sh#BurpSuite  Automation (Acunetix Vulnweb)java -jar -Xmx2g -Djava.awt.headless=true  <path to burpsuite_pro.jar> http testphp.vulnweb.com 80 / --user-config-file=user.jsonecho "Result Pushed Successfully"

A11

STEP 12: Under Post-build Actions:

12.1: Click Add Post-Build Action, and select Archive the artifacts. In the input field under the Archive the Artifacts, add the following directories, which should be separated by commas. (You can copy paste it from below as is)

 *.html,*.xml

12.2: click Add Post-Build Action, and select Publish HTML Reports. Then, click Add, and input the directory where the HTML reports are stored. Under the Index page input field, specify the file’s name as used in step 5, use

IntegrisSecurity_Carbonator_{scheme}_{fqdn}_{port}.html

In this blog, we are running scan against acunetix vulnweb, so report will be automatically generated in this name format.

IntegrisSecurity_Carbonator_http_testphp.vulnweb.com_80

A12

STEP 13: Click on Save and Click Build Now. Once build is completed, you can view the HTML Report on Job Dashboard and other archived files from workspace.

Step 13

That covers the first approach. You can take a break before trying out the next approach.

Burp Rest API with Robot Framework:

Robot Framework is a generic test automation framework for Acceptance Testing and Test-Driven Development (ATDD). It has easy-to-use tabular test data syntax and utilizes the keyword-driven testing approach. Its testing capabilities can be extended by test libraries implemented either with Python or Java. Users can also create new higher-level keywords from existing ones, with the same syntax used for creating test cases. Prerequisites to automate Burp using Rest API with Robot Framework:

  • Windows/Linux OS
  • Burp Suite Pro with license installed
  • Burp Suite Rest API (Vmware)
  • Python 2.x ( Available in Most Linux Distribution)
  • Pip
  • Robot Framework
  • Robot2Burp package

(The following step-by-step guide will include installing the prerequisites, so don’t worry about it right now. If you already have it, skip the respective step)

STEP 1: To begin with, you need to install prerequisites tools and python packages first, either in Jenkins master machine or in the slave machine. In this blog, we will use a Jenkins Master Setup.

Note: Burp Suite should already deployed and configured with a license key on a master machine.

STEP 2: Clone or Download the Burp Rest API package (Vmware) from here, or use the following commands on your terminal.

git clone https://github.com/vmware/burp-rest-apicd burp-rest-api

STEP 3: Follow the instruction mentioned in readme file and generate the burp-rest-apijar file using gradle build tool.  STEP 4: Run and configure the burp-rest-api jar with license Key for the first time initialization. STEP 5:  Once you configured it with license key. Check whether you are able to access Burp Rest API Swagger UI using the address mentioned below.

http://localhost:8090/swagger-ui.html

STEP 6: Check if the Burp Rest API endpoints are working, and then stop the burp rest api service. STEP 7: So far, we’ve created the necessary BURP Rest API jar file. The next step is to install the necessary packages to run the Robot Framework.To install Python and Pip Package, execute the following commands in your terminal.

sudo apt-get updatesudo apt-get install pythonsudo apt-get install python-pip

STEP 8:  To install Robot Framework using pip, execute the command in the terminal.

sudo python -m pip install robotframework==3.0.2

STEP 9: Now, you need the Robot2Burp package. You can run the following commands to install this package from your terminal.

git clone https://github.com/we45/Robosec.gitcd Robosec/Robot2Burpsudo  python setup.py installcd robot2burp

Robot2Burp package contains:├── Burp_api.py - Burp Rest Api (Python library) ├── reports  - Reports Folder└── robot2burp.robot - Sample Robot Test CasesSTEP 10: Now, we have all the necessary packages and tools. Next is to link all these with Robot scripts. Edit the robot2burp.robot file thats inside the Robot2Burp folder. Then supply the following values to run burp rest api service under the variable section.

${BURP_API_JAR_FILE}${SCOPE_URL}${REPORT_NAME}

Example:

${BURP_API_JAR_FILE}    ./burp-rest-api-1.0.0.jar${SCOPE_URL}            http://blablabla.com${REPORT_NAME}          burp_automation_demo

STEP 11: At this point, you’re probably still a little in the dark right now. So, let me explain what this .robot file will do. So far, we’ve got the necessary packages, linked and configured them so that they can automate certain tasks. The .robot file includes all the tasks that you want to automate, which can be modified based on your requirement.

  • Start Burp
  • Include scope
  • Check scope
  • Run Spider
  • Run Active scan
  • Get scan status
  • Get issue result
  • Generate report
  • Stop burp

STEP 12: Once you feed the required information in robot2burp.robot file. Execute the following command.

pybot -d reports/   <path to robot2burp.robot>

Note: The pybot tool comes along with a robot framework package. You need to name the reports folder as "reports".

STEP 13: Once robot test is completed, you will see the burp automation execution report along with the Burp scan reports in the reports directory.  STEP 14: Next is to create jobs in your Jenkins pipeline for automating Burp. Its the same as the ones used in Step 6 to 10 under Burp Extender approach. Please refer to those steps, and refer back to Step 15. STEP 15: Following Step 6-10 from the Burp Extender approach, you should have created the necessary jobs in the Jenkins pipeline. Next is to give commands to run the automation as part of the build. Use the following bash script.

#!/bin/sh#Burp Suite Automation With Robot Frameworkpybot -d reports/ <<the location of your robot2burp.robot file>>

B15

STEP 16: It’s almost done! Just follow the last three steps. Under Post-build Actions:

16.1: Click Add Post-Build Action, and select Archive the artifacts. In the input field under the Archive the Artifacts, add the following directories, which should be separated by commas. (You can copy paste it from below as is)

         reports/*.html,reports/*.xml

16.2: click Add Post-Build Action, and select Publish HTML Reports. Then, click Add, and input the directory where the HTML reports are stored. Under the Index page input field, specify the file’s name as mentioned in robot2burp.robot under variable section i.e  ${REPORT_NAME}, In that case, index page would be burp_automation_demo.html

B16

STEP 17: Click on Save and Click Build Now. Once build is completed, you can view the HTML Report on Job Dashboard and other archived files from workspace.

B17

There! Now you know how to automate burp into your Jenkins CI. Go ahead with you rain dance now!