Gurp – Golang command-line interface to Burp Suite’s REST API

0
21
Gurp - Golang command-line interface to Burp Suite's REST API

Requirements

  • BurpSuite Professional v2.0.0beta or larger from PortSwigger

Dependencies

go get -u -v github.com/fatih/shade
go get -u -v github.com/integrii/flaggy
go get -u -v github.com/tidwall/gjson
go get -u -v github.com/grokify/html-strip-tags-go


Binaries
Latest model out there here.

Building

# macOS binary
make darwin

# Linux binary
make linux

# Windows binary
make home windows

# Build releases
make all

Usage

$ go run Gurp.go -h
Gurp - Interact with Burp API  Flags:
    -h --help  Displays assist with out there flag, subcommand, and positional worth parameters.
    -t --target  Burp Address. Default 127.0.0.1
    -p --port  Burp API Port. Default 1337
    -U --username  Username for an authenticated scan
    -P --password  Password for an authenticated scan
    -s --scan  URLs to scan
    -S --scan-id  Scanned URL identifier
    -M --metrics  Provides metrics for a given activity
    -D --description  Provides description for a given challenge
    -d --description-names  Returns vulnerability names from PortSwigger
    -I --issues  Provides points for a given activity
    -e --export  Export points json.
    -k --key  Api Key
    -v --version  Gurp model
go run Gurp.go -s "localhost.com/WebGoat/assault"
 [+] SUCCESS: Found Burp API endpoint on 127.0.0.1:1337.
 [i] INFO Setting up scanner...
 [+] SUCCESS: Scanning localhost.com/WebGoat/assault over 8.
go run Gurp.go -S 8 -M
 [+] SUCCESS: Found Burp API endpoint on 127.0.0.1:1337.
 [!] ALERT Retrieving Metrics from activity 8
          [i] INFO: Scan standing succeeded
          [i] INFO: 181 Requests made
          [i] INFO: 0 Requests queued
          [i] INFO: 6 Audit gadgets accomplished
          [i] INFO: 0 Audit gadgets ready
          [i] INFO: 20058 Audit requests made
          [i] INFO: 2 Audit community errors
          [i] INFO: 5 Issue occasions
go run Gurp.go -S 8 -I
 [+] SUCCESS: Found Burp API endpoint on 127.0.0.1:1337.
 [!] ALERT: Retrieving Issues from activity 8
         [i] INFO: Frameable response (potential Clickjacking)
         [*] HIGH: Cleartext submission of password
         [*] LOW: Password subject with autocomplete enabled
         [*] MEDIUM: Host header poisoning
         [i] INFO: Path-relative type sheet import
go run Gurp.go -S 8 -e /tmp
 [+] SUCCESS: Found Burp API endpoint on 127.0.0.1:1337.
 [!] ALERT: Retrieving Issues from activity 8
         [i] INFO: Frameable response (potential Clickjacking)
         [*] HIGH: Cleartext submission of password
         [*] LOW: Password subject with autocomplete enabled
         [*] MEDIUM: Host header poisoning
         [i] INFO: Path-relative type sheet import
 [!] ALERT: Exporting uncooked json to /tmp
  • Launch an authenticated scan with person/password
go run Gurp.go -s check.com -U admin -P 1234
 [+] SUCCESS: Found Burp API endpoint on 127.0.0.1:1337.
 [i] INFO Setting up scanner utilizing credentials admin:1234
 [+] SUCCESS: Scanning check.com over 13.
  • Connect to Burp utilizing API Key
go run Gurp.go -k "APIKEY" -d | grep -i SQL
         [2] SQL injection
         [3] SQL injection (second order)
         [35] Client-side SQL injection (DOM-primarily based)
         [36] Client-side SQL injection (mirrored DOM-primarily based)
         [37] Client-side SQL injection (saved DOM-primarily based)
         [68] SQL assertion in request parameter

MoreTip.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.