Config file contains options for Burb, BScan and external BScan modules. All bscan properties start with 'bscan.' prefix. All modules properties have the following prefix:
bscan.<module_name>[.<module_instance_id>].
Module <module_instance_id> is optional and is needed when the same module is run several times with different parameters. bscan.modules property contains a list of all modules to run separated by ','
bscan.modules=<module_path>[:<module_instance_id>], ...
If <module_path> is realtive, the 'SEARCH PATH RULES' will be used
If static_request property is set to true, the modules will not be called from the Burp's spider, a static request should be provided in a config file instead, e.g.
bscan.injector.three.file=../config/injector.txt bscan.injector.three.check_replay=true
injector.txt file should contain a valid request in the example above.
The following path will be used to search a config file or any relative path that configs refers to:
.:./lib:~/.bscan:/etc/bscan:<jruby_system_path_defined_by_$:>
see BscannerHelper#search_path for details
bscan.modules - see 'CONVENTIONS' for details
bscan.inactivity_to - inactivity is sec that triggers exit and generating a report
bscan.run_proxy - run Burp proxy and collect vulns in passive mode Default: false
bscan.report_url_prefix=<URL-prefix>|<path-to-report-file.xml> sort reports by URL
bscan.report_def_name=<path-to-report-file.xml> default report file
bscan.issues=issues - output directory for findings/issues
scan.modules_only - if true, only modules with static requests will run (no spider)
bscan.url - URL to spider, multiple entries are OK. Have no effect if scan.modules_only=true
proxy.listener0=1.<port>.1.0..0.0.1.0..0..0..0. - this is a burp's param, used to change a proxy's port number
If specified an email will be sent. If 'include_report' is set to 'true', the detailed zipped report will be attached. You'll ned 'zip' gem to make attachments working.
bscan.smtp.server=<server> SMTP server
bscan.smtp.port=n SMTP port Default: 25 for plain, 465 for SSL
bscan.smtp.ssl=<true|false> Use SSL Default - false
bscan.smtp.to=<to_emails_coma_separated>
bscan.smtp.from=<from_email>
bscan.smtp.domain=<from_domain> Deafult: from_email's domain
bscan.smtp.include_report=<true|false> attach report as zip Default: false
injector.rb - injects malicious patterns provided in a file (e.g. Google's fuzzdb) to URL or body parameters. It can also inject to pattern marked by special separators (see inject_instead_of param below)
many_threads.rb - runs a static query in multiple threads. Can repeat patterns multiple times to increase impact on a server
kill_apache.rb - exploits HTTP header range vuln
slowloris.rb - slow HTTP reads and writes
jboss_vulns.rb - checks on presence of web-console, jmx-console and CVE-2010-0738 (jmx-console authentication by-pass)
bscan.injector.file - file with malicious patterns (e.g. Google's fuzzdb)
bscan.injector.inject_to_body - if true injects to body params, otherwise to URL params only
bscan.injector.check_rsp_max_time=n - log an issue if response time > n sec
bscan.injector.check_status - log an issue if a status code >= 500
bscan.injector.check_replay - log XSS issue if input is replayed in a response
bscan.injector.inject_instead_of=<sep>:<request>:<protocol> - replaces <sep>(.*)<sep> occurences with injections provided in 'file' <request> - a request file with <sep>(.*)<sep> patterns <protocol> - either http or https
bscan.injector.static_request if true, won't be called from spider
bscan.many_threads.request=<request>:<protocol>:<rep-pat> <request> - a file with a request <protocol> - http or https <rep-pat> - <rep-pat>(.*)<rep-pat>N patterns will be replaced with (.*) repeated N times. Useful if you want to generate huge requests using small input files.
bscan.many_threads.threads=n - number of threads
bscan.many_threads.static_request=true won't be called from spider It actually should be true for this module
It's important not to exceed the maximum file number on your client, otherwise it might not work. It's also important to set up a correct timeout (sleep_time) that should not be bigger than server's read or write timeout. The timeouts are different for different servers and attack types: for slow reads the timeout is usally bigger (100-200-.. secs), while for slow writes it worked well for 5 - 10 sec interval. I general, I found that slow writes are far more dangerous than slow reads and that's why I set the default for 'delay_on_write' to 'true'.
bscan.slowloris.hostport=<host>:<port> no defaults, must provide both
bscan.slowloris.protocol=<http protocol> https or http, default - http
bscan.slowloris.method=<http method> POST or GET, default - GET
bscan.slowloris.threads=n Thread number, default - 20 for reads, 500 for writes
bscan.slowloris.con_nbr_per_thread=n Number of connections per thread. Default - 50 for reads, 1 for writes
bscan.slowloris.pack_per_con=n Max number of data packets to be sent in each connection Default - 5 for reads, 50 - for writes
bscan.slowloris.response_time_factor=n Normal response time will be multipled by this number to determine when report an issue, e.g. if normal reposne time is 2 sec then if a response time under attack is bigger than 2*n, it will be logged as an issue. Default - 5
bscan.slowloris.sleep_time=n number of seconds to sleep after beginning of a request has been send for reads or a delay to read message body for writes. Default: 100 - for reads, 5 - for writes
bscan.slowloris.static_request=true Must be always set to 'true' for this module
delay_on_write=<true|false> Make delays on server's writes if true. Default: true
health_check_int=n Health check interval in seconds. Default: 2
Similar to slowloris a monitoring thread will be checking a response time and log an issue if a threshold is reached (see 'response_time_factor' for details)
bscan.kill_apache.hostport=<host>:<port> no defaults, must provide both
bscan.kill_apache.protocol=<http protocol> https or http, default - http
bscan.kill_apache.threads=n Thread number, default - 500
bscan.kill_apache.req_per_thread=n Number of requests per thread, default - 1
bscan.kill_apache.response_time_factor=n Normal response time will be multipled by this number to determine when report an issue, e.g. if normal reposne time is 2 sec then if a response time under attack is bigger than 2*n, it will be logged as an issue. Default - 10
bscan.kill_apache.read_timeout=n client's read timeout, default - 10
bscan.kill_apache.static_request=true Must be always set to 'true' for this module
bscan.kill_apache.range_nbr=n Number of elements in 'Range' header, default - 500
The module checks if web-console or jmx-console is present. It also checks if jmx-console authentication can be by-passed by injecting a 'hello' page through HTTP method 'HEAD'. To run the last one you need to set inject_page to 'true'.
bscan.jboss_vulns.hostport=host:port:proto Multiple entries for this param are OK
bscan.jboss_vulns.inject_page=true Set this to true to try by-passing jmx-console auth. It will try to inject a harmless HTML page @ /hello/hello.jsp
To get a list of all Burp parameters, set log level (–loglevel to 2 or 3) and you'll see all of them in a log file.