CONVENTIONS

Config file contains options for Burb, BScan and external BScan modules. All bscan properties start with 'bscan.' prefix. All modules properties have the following prefix:

bscan.<module_name>[.<module_instance_id>].

Module <module_instance_id> is optional and is needed when the same module is run several times with different parameters. bscan.modules property contains a list of all modules to run separated by ','

bscan.modules=<module_path>[:<module_instance_id>], ...

If <module_path> is realtive, the 'SEARCH PATH RULES' will be used

If static_request property is set to true, the modules will not be called from the Burp's spider, a static request should be provided in a config file instead, e.g.

bscan.injector.three.file=../config/injector.txt
bscan.injector.three.check_replay=true

injector.txt file should contain a valid request in the example above.

SEARCH PATH RULES

The following path will be used to search a config file or any relative path that configs refers to:

.:./lib:~/.bscan:/etc/bscan:<jruby_system_path_defined_by_$:>

see BscannerHelper#search_path for details

BScan Parameters

BScan SMTP Parameters

If specified an email will be sent. If 'include_report' is set to 'true', the detailed zipped report will be attached. You'll ned 'zip' gem to make attachments working.

Modules Included to the Package

injector.rb Module Parameters

many_threads.rb Module Parameters

slowloris.rb Module Parameters

It's important not to exceed the maximum file number on your client, otherwise it might not work. It's also important to set up a correct timeout (sleep_time) that should not be bigger than server's read or write timeout. The timeouts are different for different servers and attack types: for slow reads the timeout is usally bigger (100-200-.. secs), while for slow writes it worked well for 5 - 10 sec interval. I general, I found that slow writes are far more dangerous than slow reads and that's why I set the default for 'delay_on_write' to 'true'.

kill_apache.rb Module Parameters

Similar to slowloris a monitoring thread will be checking a response time and log an issue if a threshold is reached (see 'response_time_factor' for details)

jboss_vuln.rb Module Parameters

The module checks if web-console or jmx-console is present. It also checks if jmx-console authentication can be by-passed by injecting a 'hello' page through HTTP method 'HEAD'. To run the last one you need to set inject_page to 'true'.

Burp Parameters

To get a list of all Burp parameters, set log level (–loglevel to 2 or 3) and you'll see all of them in a log file.