Bugs That Bite
Published in

Bugs That Bite

Can’t [Easily] Automate Burp Pro Setup

Feature request for PortSwigger

In order to create a custom Amazon Machine Image (AMI) with Burp I currently fully automate the building of a Windows AMI and publish the latest AMI ID to a system parameter.

When it comes to Burp, unless I am missing something (and I have contacted support) I have to manually log into my account to get the latest version, manually down load it, copy it to the S3 bucket where I run my deployments, and from there I can automate downloading it to my machine image.

Then to configure it, I have to manually fire it up and enter the license key. One of the problems is that you are limited to how many times you can use a license on different machines, at which point you have to contact support to get the license unlocked.

In other words, if I do 20 or 30 penetration tests a year and have a separate automated build out for each customer and want to start with a fresh, untarnished machine for each project, I’m going to have to contact support at some point and request my license to be unlocked. And if I’m not paying attention or don’t know the limit I might hit it at a critical point when I’m rushing to get a penetration test going and delayed until support gets back to me.

Ideally there should be a way to track how many uses you have left of a license in an automated way so you can contact support in advance.

More ideally, this whole process could be completely automated. I put my license key into an AWS SSM Parameter and use it to spin up new machines in a completely automated way ready to start pen testing without having to do any manual license steps. There could be an API call to get the next instance of your license and an API to request an additional batch of uses for a license. Or something like that…

I’ve already mentioned this to PortSwigger but I’m wondering if anyone else is facing this challenge. There may be a way to work around some of this but I haven’t had time yet — and I wish it were just easier.

Teri Radichel

If you liked this story please clap and follow:

Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests services via LinkedIn: Teri Radichel or IANS Research

© 2nd Sight Lab 2022

____________________________________________

About this blog:

Want to learn more about Cybersecurity and Cloud Security? Check out: Cybersecurity for Executives in the Age of Cloud on Amazon

Need Cloud Security Training? 2nd Sight Lab Cloud Security Training

Is your cloud secure? Hire 2nd Sight Lab for a penetration test or security assessment.

Have a Cybersecurity or Cloud Security Question? Ask Teri Radichel by scheduling a call with IANS Research.

Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Teri Radichel

Teri Radichel

Cloud Security Training and Penetration Testing | GSE, GSEC, GCIH, GCIA, GCPM, GCCC, GREM, GPEN, GXPN | AWS Hero | Infragard | IANS Faculty | 2ndSightLab.com