carbonator icon indicating copy to clipboard operation
carbonator copied to clipboard

Published 20 hours ago verified publisher icon integrissecurity

No HTTPS traffic scanned

Open UbaidAhmed2803 opened this issue 2 years ago • 0 comments

I have configured the carbonator and I am running the following command

java -jar -Xmx2g -Djava.awt.headless=true /home/webscanner/BurpSuitePro/burpsuite_pro.jar https example.com 443 / --user-config-file=Config/userNew.json --project-file=Projects/test31.burp --unpause-spider-and-scanner

The scan runs without any issue, however, the results which I get seem to be incorrect. The following are the reasons for this assumption:

  1. When I open this project file on UI, I notice that https://example.com is automatically added to the "Exclude from Scope" under Target>Scope.
  2. Under Target>Sitemap only http://example.com is listed.

Following are the extensions added to the userNew.json:

"extensions":[
                {
                    "errors":"console",
                    "extension_file":"/home/webscanner/.BurpSuite/bapps/3123d5b5f25c4128894d97ea1acc4976/activeScan++.py",
                    "extension_type":"python",
                    "loaded":true,
                    "name":"activeScan++",
                    "output":"console"
                },
                {
                    "errors":"console",
                    "extension_file":"/home/webscanner/.BurpSuite/bapps/9cff8c55432a45808432e26dbb2b41d8/build/libs/backslash-powered-scanner-all.jar",
                    "extension_type":"java",
                    "loaded":true,
                    "name":"Backlash Powered Scanner",
                    "output":"console"
                },
                {
                    "errors":"console",
                    "extension_file":"/home/webscanner/.BurpSuite/bapps/f078b9254eab40dc8c562177de3d3b2d/aws.py",
                    "extension_type":"python",
                    "loaded":true,
                    "name":"AWS Security Checks",
                    "output":"console"
                },
                {
                    "errors":"console",
                    "extension_file":"/home/webscanner/.BurpSuite/bapps/47027b96525d4353aea5844781894fb1/burp/target/attacksurfacedetector-release-1.13-jar-with-dependencies.jar",
                    "extension_type":"java",
                    "loaded":true,
                    "name":"Attack Surface Detector",
                    "output":"console"
                },
                {
                    "bapp_serial_version":7,
                    "bapp_uuid":"c9fb79369b56407792a7104e3c4352fb",
                    "errors":"console",
                    "extension_file":"bapps/c9fb79369b56407792a7104e3c4352fb/target/burp-vulners-scanner-1.2.jar",
                    "extension_type":"java",
                    "loaded":true,
                    "name":"Software Vulnerability Scanner",
                    "output":"console"
                },
                {
                    "errors":"console",
                    "extension_file":"/home/webscanner/burp_automation/carbonator//carbonator.py",
                    "extension_type":"python",
                    "loaded":true,
                    "name":"Carbonator",
                    "output":"console"
                }
            
            ]

I raised the same issue with Portswigger and they suggested I raise an issue here. https://forum.portswigger.net/thread/carbonator-no-https-traffic-4ff0800c

Am I missing something? Why https://example.com is not scanned?

UbaidAhmed2803 avatar Oct 21 '22 04:10 UbaidAhmed2803