As we reach the end of September 2024, ThreadFix version 3.x on-premises has officially reached its End-of-Life. Therefore, there is no longer support or updates for this version of the product. We have fully transitioned our product and development teams to focus ThreadFix SaaS and migrating all customers over from the on-premises versions. Our Customer Success and Support teams are here to help you in migrating to ThreadFix SaaS and maximizing the value you see from this improved offering from Coalfire. This is the next phase of ThreadFix and our team is looking forward to continuing to support you on this journey.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Current »

📙 You will learn

How to setup and run a Burp Scan Agent.

Prerequisites

Audience: IT Professional
Difficulty: Intermediate
Time needed: Approximately 10 minutes
Tools required: N/A

Running Burp Scan Agent

  1. Download Scan Agent from ThreadFix Download Tools page.

  2. Save the scanagent.jar file in the desired working directory.

  3. From the command line, navigate to the working directory and run the command java -jar scanagent.jar -s to begin set up. There will be three necessary pieces of information to supply.

    1. Input the ThreadFix base URL

      C:\Users\user\ScanAgent>java -jar scanagent.jar -s
      Starting configuration dialog.
      Attempting to load ESAPI.properties via file I/O.
      Attempting to load ESAPI.properties as resource file via file I/O.
      Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\Users\user\ScanAgent\ESAPI.properties
      Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties
      Not found in 'user.home' (C:\Users\user) directory: C:\Users\user\esapi\ESAPI.properties
      Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException
      Attempting to load ESAPI.properties via the classpath.
      SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from '/ (root)' using current thread context class loader!
      Attempting to load validation.properties via file I/O.
      Attempting to load validation.properties as resource file via file I/O.
      Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\Users\user\ScanAgent\validation.properties
      Not found in SystemResource Directory/resourceDirectory: .esapi\validation.properties
      Not found in 'user.home' (C:\Users\user) directory: C:\Users\user\esapi\validation.properties
      Loading validation.properties via file I/O failed.
      Attempting to load validation.properties via the classpath.
      validation.properties could not be loaded by any means. fail. Exception was: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource.
      OFF [main] SecurityProviderLoader.log(434) | [/ExampleApplication/SecurityProviderLoader] No Encryptor.PreferredJCEProvider specified.
      Input ThreadFix base URL (should end in /rest, leave empty to keep http://localhost:8080/threadfix/rest/latest):
    2. Input the API Key

      Input ThreadFix API key (leave empty to keep {apiKey})
    3. Input the Working Directory. This is where the jar should be located and where the XML files will be saved to.

      Input working directory (for file storage, leave empty to keep C:\Users\user\ScanAgent):


      If performed successfully, the following message will display:

      Ended configuration. Congratulations!
      Run '-cs <ScannerName>' to config Scanner or '-r' to execute scan queue task from Threadfix server if you already set up Scanner

  4. Run the command java -jar scanagent.jar -cs burp. Two pieces of information will need to be supplied.

    1. Input the file path for Burp Suite

      C:\Users\user\ScanAgent>java -jar scanagent.jar -cs burp
      Start configuration for Burp Suite Pro
      Input full path for Burp Suite jar file (Ex: C:\Burp\burp.jar): C:\Program Files\BurpSuitePro\burpsuite_pro.jar
    2. Input the Burp Suite version

      Input Burp Suite Pro version: v2020.11.1


      If performed successfully, the following message will display:

      Ended configuration for Burp Suite Pro. Congratulations!
      Run '-r' to execute scan queue task from Threadfix server.

  5. Run the command java -jar scanagent.jar -r. This will start the Scan Agent. It will begin processing tasks that have been queued or wait until it receives its first task.

    C:\Users\user\ScanAgent>java -jar scanagent.jar -r
    Attempting to load ESAPI.properties via file I/O.
    Attempting to load ESAPI.properties as resource file via file I/O.
    Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\Users\user\ScanAgent\ESAPI.properties
    Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties
    Not found in 'user.home' (C:\Users\user) directory: C:\Users\user\esapi\ESAPI.properties
    Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException
    Attempting to load ESAPI.properties via the classpath.
    SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from '/ (root)' using current thread context class loader!
    Attempting to load validation.properties via file I/O.
    Attempting to load validation.properties as resource file via file I/O.
    Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\Users\user\ScanAgent\validation.properties
    Not found in SystemResource Directory/resourceDirectory: .esapi\validation.properties
    Not found in 'user.home' (C:\Users\user) directory: C:\Users\user\esapi\validation.properties
    Loading validation.properties via file I/O failed.
    Attempting to load validation.properties via the classpath.
    validation.properties could not be loaded by any means. fail. Exception was: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource.
    OFF [main] SecurityProviderLoader.log(434) | [/ExampleApplication/SecurityProviderLoader] No Encryptor.PreferredJCEProvider specified.
    INFO [main] ScanAgentMain.runScanQueue(142) | Starting ThreadFix generic scan agent version 2.0.0-DEVELOPMENT-1
    INFO [main] ConfigurationUtils.readAllScanners(95) | Start reading all scanner type
    INFO [main] ConfigurationUtils.readAllScanners(106) | Number of scanners available: 1
    INFO [main] ScanAgentSlaver.run(67) | Scan agent configured
    INFO [main] ScanAgentSlaver.checkAndLogConfiguration(245) | GenericScanAgent configuration:
    INFO [main] ScanAgentSlaver.checkAndLogConfiguration(247) | OperatingSystem { name=Windows 10, version=10.0 }
    INFO [main] ScanAgentSlaver.checkAndLogConfiguration(257) | Scanners:
    INFO [main] ScanAgentSlaver.checkAndLogConfiguration(259) | [0]Scanner { name = Burp Suite Pro, version = v2020.11.1, home directory = C:\Program Files\BurpSuitePro\burpsuite_pro.jar }
    INFO [main] ScanAgentSlaver.run(71) | First thing first, request ScanAgent instance secure key.
    INFO [main] ScanAgentSlaver.run(78) | Got secure key from ThreadFix server. Continue to poll and run tasks.
    INFO [main] ScanAgentSlaver.pollAndRunTasks(92) | Configuration was OK, entering polling loop.
    INFO [main] ScanAgentSlaver.pollAndRunTasks(110) | Got first null task from requestTask(). Message: No task found.
    INFO [main] ScanAgentSlaver.pollAndRunTasks(112) | Switching to debug logging until something happens.

  6. Add a new Scan Agent Task.

  7. The Target URL will be the URL of the site the user wants to have Burp scan. The Scan Config file is the .burp project file saved from Burp Suite.

  8. After this has completed, a burp_scan_result.xml file will be in the working directory. This will be the results that were automatically uploaded to ThreadFix after the Scan Agent completed its task.

Additional Resources

Table of Contents

  • No labels