Open

You will learn

How to setup and run a Burp Scan Agent.

Prerequisites

Audience: IT Professional
Difficulty: Intermediate
Time needed: Approximately 10 minutes
Tools required: N/A

Running Burp Scan Agent

1. Download Scan Agent from ThreadFix Download Tools page.
   
   

   Open

   

    

2. Save the scanagent.jar file in the desired working directory.
   
   

3. From the command line, navigate to the working directory and run the command java -jar scanagent.jar -s to begin set up. There will be three necessary pieces of information to supply.

   1. Input the ThreadFix base URL

      C:\Users\user\ScanAgent>java -jar scanagent.jar -s Starting configuration dialog. Attempting to load ESAPI.properties via file I/O. Attempting to load ESAPI.properties as resource file via file I/O. Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\Users\user\ScanAgent\ESAPI.properties Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties Not found in 'user.home' (C:\Users\user) directory: C:\Users\user\esapi\ESAPI.properties Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException Attempting to load ESAPI.properties via the classpath. SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from '/ (root)' using current thread context class loader! Attempting to load validation.properties via file I/O. Attempting to load validation.properties as resource file via file I/O. Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\Users\user\ScanAgent\validation.properties Not found in SystemResource Directory/resourceDirectory: .esapi\validation.properties Not found in 'user.home' (C:\Users\user) directory: C:\Users\user\esapi\validation.properties Loading validation.properties via file I/O failed. Attempting to load validation.properties via the classpath. validation.properties could not be loaded by any means. fail. Exception was: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource. OFF [main] SecurityProviderLoader.log(434) | [/ExampleApplication/SecurityProviderLoader] No Encryptor.PreferredJCEProvider specified. Input ThreadFix base URL (should end in /rest, leave empty to keep http://localhost:8080/threadfix/rest/latest):

   2. Input the API Key

      Input ThreadFix API key (leave empty to keep {apiKey})

   3. Input the Working Directory. This is where the jar should be located and where the XML files will be saved to.

      Input working directory (for file storage, leave empty to keep C:\Users\user\ScanAgent):

      
      If performed successfully, the following message will display:

       

4. Run the command java -jar scanagent.jar -cs burp. Two pieces of information will need to be supplied.

   1. Input the file path for Burp Suite

   2. Input the Burp Suite version

      
      If performed successfully, the following message will display:

       

5. Run the command java -jar scanagent.jar -r. This will start the Scan Agent. It will begin processing tasks that have been queued or wait until it receives its first task.
   
   

    

6. Add a new Scan Agent Task.
   
   

    

7. The Target URL will be the URL of the site you wish to have Burp scan. The Scan Config file is the .burp project file saved from Burp Suite.
   
   

8. After this has completed, a burp_scan_result.xml file will be in the working directory. This will be the results that were automatically uploaded to ThreadFix after the Scan Agent completed its task.

Additional Resources

• Introducing Burp Projects

• Launching Burp Suite from the command line

Table of Contents