Integris Security Carbonator
Integris Security has Open Sourced a security tool that was developed for internal use only. If you like, have benefited, appreciate the value of or wish to support further development of this Open Source project then please consider donating.
Carbonator utilizes and requires Burp Suite Pro, a powerful and popular web application testing tool, and performs the following functions:
- Add the specified target to Burp's target scope, if needed.
- Spider the target.
- Actively scan the target.
- Generate a scan report in HTML format.
- Shut down Burp.
- Optionally EMail reports to target addresses
Carbonator's purpose is to enable the ability to automate the vulnerability scanning of a large number of web applications. A single command from a command line can now produce volumes of vulnerability information.
There are two different methods to installing Carbonator. 1) Downloaded from GitHub and adding the extension manually to burp or 2) through the BApp Store from inside of the Burp user interface.
Here are some sample commands that you may consider executing when using Carbonator.
Loaded from within BApp:
- java -jar -Xmx2g path/to/burp.jar http localhost 80 /folder
- java -jar -Xmx2g path/to/burp.jar -Djava.awt.headless=true http localhost 80 /folder
Instructions to manually load Carbonator:
- Ensure that you have a valid Burp Suite Pro license installed.
- You must initially load this file into the extension tab of Burp.
Carbonator only runs if you are using the provided 'launch_burp.sh' script.
- This will perpetually keep it loaded in your burp configuration.
- This will have to be done for every new version of burp you have locally installed.
- Note: It is required that you provide the path to the Jython Jar file. This is installable by, for example, CentOS 6.5 by `yum install jython-2.2.1-4.8`. The file would then be located at `/usr/share/java/jython.jar`
Wrap 'launch_burp.sh' into your own script to automate scanning and reporting of any number of sites. The following is an example of how to scan multiple hosts from a command line interface.
- usage: ./launch_burp.sh scheme fqdn portnumber path email - path and email are both optional parameters
- Modify 'launch_burp.sh' to point to your burp jar locate and file name.
- This will open burp, run scan against the supplied information, generate the report, close burp then optionally email the report.
- Ex: `cat scheme_fqdn_port.txt | xargs -L1 ./launch_burp.sh`
- scheme_fqdn_port.txt is loaded with localhost examples of how to set up a multihost flatfile.
Your finished scan reports will be located from within the folder you initially executed the `java -jar` command.
We also offer a SaaS based security tool kit. It is free and doesn't take long to sign up. For more information visit our Security Tools page.
For more information you can contact us through our Contact Us page.