- Created by Daniel Colon, last modified on Sept 27, 2021
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 2 Current »
📙 You will learn
How to setup and run a Burp Scan Agent.
Prerequisites
Audience: IT Professional
Difficulty: Intermediate
Time needed: Approximately 10 minutes
Tools required: N/A
Running Burp Scan Agent
Download Scan Agent from ThreadFix Download Tools page.
Save the scanagent.jar file in the desired working directory.
From the command line, navigate to the working directory and run the command
java -jar scanagent.jar -s
to begin set up. There will be three necessary pieces of information to supply.Input the ThreadFix base URL
C:\Users\user\ScanAgent>java -jar scanagent.jar -s Starting configuration dialog. Attempting to load ESAPI.properties via file I/O. Attempting to load ESAPI.properties as resource file via file I/O. Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\Users\user\ScanAgent\ESAPI.properties Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties Not found in 'user.home' (C:\Users\user) directory: C:\Users\user\esapi\ESAPI.properties Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException Attempting to load ESAPI.properties via the classpath. SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from '/ (root)' using current thread context class loader! Attempting to load validation.properties via file I/O. Attempting to load validation.properties as resource file via file I/O. Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\Users\user\ScanAgent\validation.properties Not found in SystemResource Directory/resourceDirectory: .esapi\validation.properties Not found in 'user.home' (C:\Users\user) directory: C:\Users\user\esapi\validation.properties Loading validation.properties via file I/O failed. Attempting to load validation.properties via the classpath. validation.properties could not be loaded by any means. fail. Exception was: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource. OFF [main] SecurityProviderLoader.log(434) | [/ExampleApplication/SecurityProviderLoader] No Encryptor.PreferredJCEProvider specified. Input ThreadFix base URL (should end in /rest, leave empty to keep http://localhost:8080/threadfix/rest/latest):
Input the API Key
Input ThreadFix API key (leave empty to keep {apiKey})
Input the Working Directory. This is where the jar should be located and where the XML files will be saved to.
Input working directory (for file storage, leave empty to keep C:\Users\user\ScanAgent):
If performed successfully, the following message will display:Ended configuration. Congratulations! Run '-cs <ScannerName>' to config Scanner or '-r' to execute scan queue task from Threadfix server if you already set up Scanner
Run the command
java -jar scanagent.jar -cs burp
. Two pieces of information will need to be supplied.Input the file path for Burp Suite
C:\Users\user\ScanAgent>java -jar scanagent.jar -cs burp Start configuration for Burp Suite Pro Input full path for Burp Suite jar file (Ex: C:\Burp\burp.jar): C:\Program Files\BurpSuitePro\burpsuite_pro.jar
Input the Burp Suite version
Input Burp Suite Pro version: v2020.11.1
If performed successfully, the following message will display:Ended configuration for Burp Suite Pro. Congratulations! Run '-r' to execute scan queue task from Threadfix server.
Run the command
java -jar scanagent.jar -r
. This will start the Scan Agent. It will begin processing tasks that have been queued or wait until it receives its first task.C:\Users\user\ScanAgent>java -jar scanagent.jar -r Attempting to load ESAPI.properties via file I/O. Attempting to load ESAPI.properties as resource file via file I/O. Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\Users\user\ScanAgent\ESAPI.properties Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties Not found in 'user.home' (C:\Users\user) directory: C:\Users\user\esapi\ESAPI.properties Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException Attempting to load ESAPI.properties via the classpath. SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from '/ (root)' using current thread context class loader! Attempting to load validation.properties via file I/O. Attempting to load validation.properties as resource file via file I/O. Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\Users\user\ScanAgent\validation.properties Not found in SystemResource Directory/resourceDirectory: .esapi\validation.properties Not found in 'user.home' (C:\Users\user) directory: C:\Users\user\esapi\validation.properties Loading validation.properties via file I/O failed. Attempting to load validation.properties via the classpath. validation.properties could not be loaded by any means. fail. Exception was: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource. OFF [main] SecurityProviderLoader.log(434) | [/ExampleApplication/SecurityProviderLoader] No Encryptor.PreferredJCEProvider specified. INFO [main] ScanAgentMain.runScanQueue(142) | Starting ThreadFix generic scan agent version 2.0.0-DEVELOPMENT-1 INFO [main] ConfigurationUtils.readAllScanners(95) | Start reading all scanner type INFO [main] ConfigurationUtils.readAllScanners(106) | Number of scanners available: 1 INFO [main] ScanAgentSlaver.run(67) | Scan agent configured INFO [main] ScanAgentSlaver.checkAndLogConfiguration(245) | GenericScanAgent configuration: INFO [main] ScanAgentSlaver.checkAndLogConfiguration(247) | OperatingSystem { name=Windows 10, version=10.0 } INFO [main] ScanAgentSlaver.checkAndLogConfiguration(257) | Scanners: INFO [main] ScanAgentSlaver.checkAndLogConfiguration(259) | [0]Scanner { name = Burp Suite Pro, version = v2020.11.1, home directory = C:\Program Files\BurpSuitePro\burpsuite_pro.jar } INFO [main] ScanAgentSlaver.run(71) | First thing first, request ScanAgent instance secure key. INFO [main] ScanAgentSlaver.run(78) | Got secure key from ThreadFix server. Continue to poll and run tasks. INFO [main] ScanAgentSlaver.pollAndRunTasks(92) | Configuration was OK, entering polling loop. INFO [main] ScanAgentSlaver.pollAndRunTasks(110) | Got first null task from requestTask(). Message: No task found. INFO [main] ScanAgentSlaver.pollAndRunTasks(112) | Switching to debug logging until something happens.
Add a new Scan Agent Task.
The Target URL will be the URL of the site the user wants to have Burp scan. The Scan Config file is the .burp project file saved from Burp Suite.
After this has completed, a burp_scan_result.xml file will be in the working directory. This will be the results that were automatically uploaded to ThreadFix after the Scan Agent completed its task.
Additional Resources
Table of Contents
- No labels